Using Debian behind a Windows proxy

Suppose you are running a Debian system in a (corporate) Windows environment where internet access is restricted by a web proxy. In many cases the proxy will be configured to use Microsoft’s Active Directory for user authentication as well as the rest of the environment. If you don’t want to integrate your Debian system completely into the Active Directory structure but only need internet access, you have to tell the proxy your Windows/Active Directory user credentials. The following article will show you how this can be done.

For this tutorial, we will assume your web proxy is running on, your username is “yourname” and your domain is “yourdomain”. Your password is the incredibly secure string “password”.

How it does not work

In Debian, you can set the system wide HTTP proxy with the http_proxy environment variable in /etc/environment. So you might try one of these entries in the config file:


Anyway, this won’t work since Debian cannot pass your credentials to the web proxy in this way.

Instead, you need a little helper named cntlm. This is yet another proxy which runs locally on your Debian system and handles the authentication using a protocol called NTLM.

Installing and configuring cntlm

Installing cntlm in Debian is pretty straightforward:

sudo aptitude install cntlm

Now for the setup in /etc/cntlm.conf. Insert your Windows username and domain in the Username and Domain lines, respectively. Then insert the IP (or server name) and port number of your proxy in a Proxy line. You can delete the remaining example Proxy lines.

Now, since you certainly don’t want to store plain text passwords in your config file, delete the Password line and create a password hash instead with the following command:

sudo cntlm -a NTLMv2 -H

This will prompt you for your Windows/Active Directory account password and print some password hashes. Copy these into /etc/cntlm.conf, somewhere near your username and domain (the script command or tmux comes in handy for copying stuff in a pure terminal session).

The rest of Debian’s default configuration is perfectly fine and can be left untouched. Now the relevant parts of your config file will look something like this:

Username    yourname
Domain      yourdomain
PassLM      4EA13780FA2739CBF9A3DB36E1842750
PassNT      50A6273195483DB741C61748AD59B302
PassNTLMv2  E9367A4B710F74B92C00684F7D38ACDE

Using cntlm

If you didn’t change this part of the default configuration cntlm is now listening on port 3128. You can set cntlm as the sytem wide HTTP proxy by adding the following line to /etc/environment:


Many applications have their own proxy settings though; some of them even ignore the system wide http_proxy. For instance, sudo resets most environment variables including http_proxy (to keep it, use sudo -E). So you have to check the documentation of the programs you need concerning their proxy settings. For example, to use the cntlm proxy in aptitude/apt add the following line to /etc/apt/apt.conf:

Acquire::http::Proxy "http://localhost:3128/";

If some program does not respect the system wide HTTP proxy and has no proxy settings of its own, you can still route it through the cntlm proxy using a tool like proxychains: Install the proxychains package and put the following line into ~/.proxychains (maybe you would like to have a look at some additional configuration options in /etc/proxychains as well):

http localhost 3128

Then instead of invoking the program directly you prepend a call to proxychains:

proxychains programname [arguments]

For some further reading on cntlm you might like an article by Yorkim Parmentier.