Linux: Using CNTLM to authenticate to a proxy server
Background
In the datacentre environment, direct web access to the Internet is sometimes blocked for security reasons. CNTLM enables transparent use of a proxy server that requires NTLM authentication. A typical usage scenario would be on a Linux server that requires Internet access and such access is only available via something like old Microsoft ISA or Forefront TMG servers. There are still penty of these relics about.
Download Location
All variants of CNTLM can be downloaded from cntlm.sourceforge.net. The version for use with Centos is a standard rpm file
Installation on Centos
As, in this scenario, you don’t have access to the Internet from your Linux server and therefore cannot use yum , you will have to install CNTLM just like you would any other rpm module so for the version 0.92.3 package the command line would be:
rpm -i cntlm-0.92.3-1.x86_64.rpm
You will need super user rights to install the package and it can be installed remotely (using Putty or similar) if required.
Configuration
After CNTLM has been installed, you can then edit the configuration file which is /etc/cntlm.conf. The first thing that you will need to do is add a username and domain specific to your network by changing the following lines:
Username proxyuser
Domain mydomain.local
This user account should be a normal user account with rights to access the Internet via the chosen proxy server. Unless the proxy server uses plain text authentication – unlikely and inadvisable – remove the Password entry from the configuration file. You can also set the listener port (default is 3128) by changing the line
Listen 3128
Then you can add a proxy server address (172.16.75.7, for example) and port (8081, for example) by changing the line to match the proxy server and port used on your network, for example:
Proxy 172.16.75.7:8081
Now an NTLM V2 password hash can be generated. At the command line, type
cntlm –H -c /etc/cntlm.conf
You will be prompted to enter the password for the account specified in the /etc/cntlm.conf file. The password hash will then be displayed and can be copied intocntlm.conf file. If you are using an ISA or Forefront TMG server, you will need the NTLMv2 hash. The generated password hash is unique to the username and password combination. The relevant line in the cntlm.conf file should then read something like this:
PassNTLMv2 53045432614063EAFC1419BB55FBD8AF
That concludes the changes necessary to the cntlm.conf file so you can now save it and exit.
Starting CTNLM
You can start CNTLM with the following command:
cntlm -c /etc/cntlm.conf
This command can also be added to the server startup file (/etc/rc.d/rc.local) if required.
Using CNTLM with YUM
Now that you can access the Internet via your proxy server, all that is needed is to add an entry for the CNTLM proxy to the /etc/yum.conf file. You should remove any entry for proxyusername and proxypassword as you will instead be using the credentials specified in the /etc/cntlm.conf file. If you have used the default port for CNTLM then the line in /etc/yum.conf should read:
proxy=http://localhost:3128/
YUM can then connect to the Internet via the proxy server using the credentials provided in the CNTLM file.
Using CNTLM with the operating system
In System\Preferences\Network Proxy, you can add the entry for CNTLM:
Localhost 3128
Standard system applications such as yum will then use the CNTLM proxy credentials to access the Internet.