Using Debian behind a Windows proxy
Suppose you are running a Debian system in a (corporate) Windows environment where internet access is restricted by a web proxy. In many cases the proxy will be configured to use Microsoft’s Active Directory for user authentication as well as the rest of the environment. If you don’t want to integrate your Debian system completely into the Active Directory structure but only need internet access, you have to tell the proxy your Windows/Active Directory user credentials. The following article will show you how this can be done.
For this tutorial, we will assume your web proxy is running on 10.10.10.10:8888, your username is “yourname” and your domain is “yourdomain”. Your password is the incredibly secure string “password”.
How it does not work
In Debian, you can set the system wide HTTP proxy with the
http_proxy
environment variable in
/etc/environment
. So you might try one of these entries in
the config file:
http_proxy="http://10.10.10.10:8888";
http_proxy="http://yourname@10.10.10.10:8888";
http_proxy="http://yourname:password@10.10.10.10:8888";
http_proxy="http://yourdomain\yourname:password@10.10.10.10:8888";
http_proxy="http://yourdomain\\yourname:password@10.10.10.10:8888";
http_proxy="http://yourdomain%5Cyourname:password@10.10.10.10:8888";
http_proxy="http://yourname@yourdomain:password@10.10.10.10:8888";
http_proxy="http://yourname%40yourdomain:password@10.10.10.10:8888";
...
Anyway, this won’t work since Debian cannot pass your credentials to the web proxy in this way.
Instead, you need a little helper named cntlm. This is yet another proxy which runs locally on your Debian system and handles the authentication using a protocol called NTLM.
Installing and configuring cntlm
Installing cntlm in Debian is pretty straightforward:
sudo aptitude install cntlm
Now for the setup in /etc/cntlm.conf
. Insert your
Windows username and domain in the Username
and
Domain
lines, respectively. Then insert the IP (or server
name) and port number of your proxy in a Proxy
line. You
can delete the remaining example Proxy
lines.
Now, since you certainly don’t want to store plain text passwords in
your config file, delete the Password
line and
create a password hash instead with the following command:
sudo cntlm -a NTLMv2 -H
This will prompt you for your Windows/Active Directory account
password and print some password hashes. Copy these into
/etc/cntlm.conf
, somewhere near your username and domain
(the script
command or tmux comes in handy for copying
stuff in a pure terminal session).
The rest of Debian’s default configuration is perfectly fine and can be left untouched. Now the relevant parts of your config file will look something like this:
Username yourname
Domain yourdomain
PassLM 4EA13780FA2739CBF9A3DB36E1842750
PassNT 50A6273195483DB741C61748AD59B302
PassNTLMv2 E9367A4B710F74B92C00684F7D38ACDE
Proxy 10.10.10.10:8888
Using cntlm
If you didn’t change this part of the default configuration cntlm is
now listening on port 3128. You can set cntlm as the sytem wide HTTP
proxy by adding the following line to /etc/environment
:
http_proxy="http://localhost:3128/";
Many applications have their own proxy settings though; some of them
even ignore the system wide http_proxy
. For instance, sudo
resets most environment variables including http_proxy
(to
keep it, use sudo -E
). So you have to check the
documentation of the programs you need concerning their proxy settings.
For example, to use the cntlm proxy in aptitude/apt add the following
line to /etc/apt/apt.conf
:
Acquire::http::Proxy "http://localhost:3128/";
If some program does not respect the system wide HTTP proxy
and has no proxy settings of its own, you can still route it
through the cntlm proxy using a tool like proxychains: Install the
proxychains package and put the following line into
~/.proxychains
(maybe you would like to have a look at some
additional configuration options in /etc/proxychains
as
well):
http localhost 3128
Then instead of invoking the program directly you prepend a call to proxychains:
proxychains programname [arguments]
For some further reading on cntlm you might like an article by Yorkim Parmentier.