How to configure for an Authenticating Proxy Server

Question

My work proxy server requires authentication with the Microsoft AD domain user credentials. Everybody knows how it works: If you log in on a Windows workstation, your "Internet Explorer" browser based internet access requests are automatically authenticated (and identified) using your domain login credentials.

I found that Firefox can also authenticate against these proxy servers and long assumed that they "do something special". Recently a colleague installed Linux Mint in a VM and to my surprise he was busy getting updates from the internet. When I asked how he got it wo work he shrugged and said "It just worked"

This prompted me to re-look at the proxy settings. I run Kubuntu (with a mix of G* and K* applications, but I only use the GTK applications when I'm convinced that they are much better than anything K*)

I do still have a copy of Windows guest running in a VirtualBox VM, mainly for Printing and for accessing internal/corporate web sites (Which both requires authentication and identification via MS domain credentials) as well as for changing my domain password every so many days.

So it would be very helpful if I could get [some/most/all] of my Linux applications to work via the proxy server. My most urgent needs are for Akregator and Muon to be able to work. Other applications that may benefit are some apps that auto-update (Eg Virtual Box Extentions) or wrap themselves around a browser (Get More Themes/Wall Papers/etc comes to mind, and the occasional use of wget)

SSH/SCP clients manage to work via the firewall without authentication.

What is the right way (tool and/or procedure) to configure this, ideally in a single location because having to maintain my password in multiple locations is a recipe for getting locked out of my account :-/

Oh, and it would be a dream come true if I could have the equivalent to the Firefox "Quick Proxy" proxy disable/enable utility, eg one click to enable or disable the use of proxy, without heaving to log out and back in, depending on what network I'm on. Actually thinking about it, a utility should be trainable to look at your IP address and know when you need to use the proxy! But I digress.

I imagine running a local proxy server which can dynamically add the authentication and forward to an upstream proxy server when needed may be the only real solution.

Answer 1

cntlm provides a solution, along with some configuration.

The basic steps to follow are:

1. Install cntlm.
2. Edit its configuration file at /etc/cntlm.conf, the comments included makes it easy enough.
3. Add a proxy server (or two).
4. Specify your user name and NT domain name in the appropriate places, and remove the password entry.

5. Start the cntlm service, eg via

   $ sudo /etc/init.d/cntlm start
   

6. cntlm provides a way to test the proxy and generate a hash from your password - eg by the command (as root)

   $ cntlm -I -M http://www.test.com
   

7. cntlm will prompt for your domain password. Then it will test different authentication mechanisms against the configured proxy server. When a working method is found, it prints two lines which needs to go into its configuration file.

8. Stop the cntlm server and add the lines obtained in step 6 above to /etc/cntlm.conf.
9. Restart cntlm

Now cntlm is running and ready to be used. A number of places can be used to configure various programs to use it. cntlm will then transparently add NT domain authentication tokens to outgoing packets and forward them on to the configured proxy server.

Using Qt/KDE

For Qt / KDE native applications, specify "Use manually configured proxy server" in the KDE System Settings -> Network Settings -> Proxy settings. The proxy is specified as http://localhost with the port 3128 (The default for cntlm unless you changed it). These applications are updated dynamically with new settings and no restart or logout/login is required to update the settings.

Dropbox & Google clients

Many applications can use shell environment variables. Noteworthy here are the Dropbox and Google Earth clients. For these applications use shell environment variables like these:

no_proxy=localhost,127.0.0.0/8,*.local
NO_PROXY=localhost,127.0.0.0/8,*.local
all_proxy=socks://localhost:3128/
ALL_PROXY=socks://localhost:3128
http_proxy=http://localhost:3128
HTTP_PROXY=http://localhost:3128
ftp_proxy=http://localhost:3128
FTP_PROXY=http://localhost:3128
https_proxy=http://localhost:3128
HTTPS_PROXY=http://localhost:3128

s3cmd, curl, & wget

Note: Some applications will use only the lower-case names, others only the upper-case names, some will first try the one, then the other.

s3cmd (The Amazon S3 client), curl and wget can additionally be configured via their own configuration files if desired. This is handy because they read their own config files on every invocation. Since these programs are typically short-lived (A single invocation exists after it completes a download) that is very useful.

The format for s3cmd in ~/.s3cfg is:

proxy_host = localhost
proxy_port = 3128

The format for wget in ~/.wgetrc is:

https_proxy = http://localhost:3128
http_proxy = http://localhost:3128
ftp_proxy = http://localhost:3128

The format for curl in ~/.curlrc is:

proxy = localhost:3128

On the other hand editing shell profile or other environment configuration files typically require a restart, log out-and-back-in, or similar. It is worth investigating /etc/environment, ~/.pam_environment, ~/.kde/env/proxy.sh etc as these are standard places to set proxy settings configured via shell environment variables, particularly to affect all users and services on the system.

I also understand that it is possible to change environment settings on a per-application basis using their respective .desktop files but have not tried it (successfully) yet.

VirtualBox

VirtualBox can be configured to use a proxy (for example to check for and to download software updates) using its GUI or using the command:

$ VBoxManage setextradata global GUI/ProxySettings \
    "proxyEnabled,localhost,3128,authDisabled,,"

For completeness' sake, to disable it use:

$ VBoxManage setextradata global GUI/ProxySettings \    
    "proxyDisabled,,,authDisabled,,"

Firefox

For Firefox I use the QuickProxy addon. Firefox itself if configured manually to use the proxy server on the local machine, so QuickProxy merely enable/disable the setting.

APT

APT (used in the background by synaptic, muon and friends) uses a configuration file in /etc/apt/apt.conf.d/, eg 00proxy Enabling the proxy for APT is done using lines like:

Acquire::http::Proxy "http://localhost:3128";
#Acquire::ftp::proxy "ftp://localhost:3128/";
#Acquire::https::proxy "https://localhost:3128/";

Note: add-apt-repository uses the root profile, or you may configure sudo to allow all the http*_proxy settings to fall through.

A script to rule them all

FWIW I am right now in the process of writing a modular script to enable/disable proxy for numerous programs. I have so far written the following modules:

$ ls -lF proxymanager/modules/
total 60
-rwxr-xr-x 1 root root  919 Oct  8 17:27 apt*
-rwxr-xr-x 1 root root 1037 Oct  8 13:10 bashrc*
-rwxr-xr-x 1 root root  391 Oct  8 12:18 cntlm*
-rwxr-xr-x 1 root root  684 Oct  8 12:58 curl*
-rwxr-xr-x 1 root root  609 Oct  8 13:02 dropbox*
-rwxr-xr-x 1 root root  672 Oct  8 12:18 gnome*
-rwxr-xr-x 1 root root  691 Oct  8 12:18 kde*
-rwxr-xr-x 1 root root  689 Oct  8 13:03 root_bashrc*
-rwxr-xr-x 1 root root  691 Oct  8 13:03 root_curl*
-rwxr-xr-x 1 root root  827 Oct  8 13:03 s3cmd*
-rwxr-xr-x 1 root root  454 Oct  8 13:03 survive_reboot*
-rwxr-xr-x 1 root root  860 Oct  8 13:06 suse-sysproxy*
-rwxr-xr-x 1 root root  653 Oct  8 12:46 sysenvironment*
-rwxr-xr-x 1 root root  465 Oct  8 13:04 virtualbox*
-rwxr-xr-x 1 root root  573 Oct  8 13:04 wgetrc*

As well as a control application. These will hopefully soon be moved into a github or other online home.

Answer 2

From my Linux workstation, the only application that can access the internet are a) Firefox (using its own proxy configuration and authentication stored in Firefox), as well as applications running in a Windows VM (Note - the windows VM is a domain member and the user authenticates against the domain when logging in)

Solution option: Run a web proxy on your windows VM. Setup your system to use that instance as your proxy.

Since your Windows VM is already authenticated and traffic is allowed through it, setting up a SOCKS proxy on that VM instance will centralized your authentication needs. If it is just for you and your boxes, this should be fine and is probably fairly straightforward.

Piggybacking on this idea is to get an SSHD daemon running on the Windows VM so you can do things like SSH SOCKS tunnels from your other boxes through the VM:

ssh -D 1080 windows-user@windows-vm

For those apps that may have problems or where you don't want to reconfigure the apps, you can make use of sshtunnel, which will setup iptables rules to route traffic. Works for Linux and Mac systems.

If you need to avoid installing a proxy on the Windows VM itself, you can setup a Squid proxy box configured to authenticate itself against the windows AD. A guide on doing that located here:

Solution option: Squid Proxy Authenticated via AD/NTLM

http://techmiso.com/1934/howto-install-squid-web-proxy-server-with-active-directory-authentication/ (dead link)

Another NTLM proxy solution, though I think this one actually runs on a Windows machine:

Solution option: NTLM proxy http://cntlm.sourceforge.net/

Answer 3

Proxy authentication with ntlm is explained well in the below links.

• For Ubuntu 14.04: Configure proxy in Ubuntu 14.04
• For Lubuntu: Setup proxy with authentication in Lubuntu/ubuntu

But the problem with ntlm is you have to update the cntlm configuration file many times a day. Consider a situation where different users share a common machine and they have to update their AD password in the cntlm config file each time they login to the system. Perhaps there's a method available to automatically update the cntlm configuration file whenever a user is logged in.