Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NTLM proxy without password?

I work on a corporate windows network (which I log in to) with a HTTP proxy. When I use Internet Explorer it magically uses the proxy without me needing to type in my password. Certain other programs seem to manage this too, like JavaWebStart has a "use browser settings" option.

However when I use scripts/programs like curl or wget to fetch stuff from http, or do it within my Java code I seem to need to have my password stored somewhere, which obviously isn't best for security.

How can I get the password-less access that internet explorer has in a programmatic way?

I'm arguing this is a stack overflow question because I'm a programmer and I need my programs/scripts to work without typing in the password, though I can see that others might think it belongs on Server Fault/Superuser.

I know about settings like --proxy-ntlm in curl, but this still requires an ntlm username and password.

like image 426
Nick Fortescue Avatar asked Aug 14 '09 09:08

Nick Fortescue


People also ask

What is a NTLM proxy?

What is NTLM? NT LAN Manager known as NTLM is a Microsoft proprietary Authentication Protocol used in Windows for authenticating between clients and servers. With this new feature, UXI sensors can now access a web server URL via a proxy that requires NTLM authentication.

What is an NTLM ID?

The NTLM identity is the domain\username with which users log on to their Windows PC; for example, MYDOMAIN\jsmith. NTLM credentials. NTLM credentials include the NTLM identity (as defined above), the PC's identity, and a non-reversible encryption of the user's password.


2 Answers

In the absence of an answer from someone else here is what I have discovered, I hope it is useful for someone else.

Executive Summary:

  1. Download SSPI enabled curl from http://curl.haxx.se/latest.cgi?curl=win32-ssl changing to Windows, zip, SSL-enabled, SSPI-enabled (7.19.5).
  2. Install Windows Open-SSL from http://www.slproweb.com/products/Win32OpenSSL.html and make a donation to support his bandwidth cost.
  3. Install the Visual C++ 2008 redistributables if you need them.
  4. Use curl to fetch the page: curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com

More detailed explanation

The magic phrase for authentication using the Windows login mechanism is SSPI. This gives a good google search phrase. I still haven't found a good way of using SSPI for HTTP proxy authentication in java or wget though.

However, curl (the download tool) does support SSPI but only in certain builds. Unfortunately the default cygwin build is not one of them. You can find out if your build of curl supports SSPI by getting the verbose version information:

curl -v -V 

If SSPI is supported it will be mentioned in the features line.

To get a windows version that supported SSPI I had to go to http://curl.haxx.se/latest.cgi?curl=win32-ssl and then change the download choice to Windows, zip, SSL-enabled, SSPI-enabled (7.19.5). By the time you read this the version number may have changed.

This then silently failed from the command line. When I ran from windows explorer I got a message about a missing libeay32.dll. One way of getting this from windows is from the only link at openssl.org to a windows version. The producer of this requests a donation to cover bandwidth costs. Another way would be to build your own from source.

And after all that curl worked with the following command line:

curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com 

The -U : configures no password, the other commandline options set up the proxy. You'll probably have to change your proxy and port settings.

This would all be much easier if only cygwin's curl release supported SSPI. I'm going to go put in a request for that now.

like image 105
Nick Fortescue Avatar answered Sep 21 '22 15:09

Nick Fortescue


Please note my edit contains an inaccurate assumption about -U and -u. I have submitted a correction, but in the interim note:

curl -U = Authentication to a proxy curl -u = Authentication to a server 

Therefore, the first command should be:

curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com 

and the second one, in the example for transparent NTLM:

curl -v -u : --ntlm [the redirection URL from Location: header]   

Sorry about that!

like image 41
macartm Avatar answered Sep 23 '22 15:09

macartm