Feed me, Seymour

whoami

Jonathan Groll lives in Cape Town (South Africa). He’s married to the delectable Shira and has two wonderful kids. He’s known to work as a software developer (and is completely passionate about open source software).

WARNING: This site holds hidden puns and needles!




Tunnel through ISA proxy

Tags tech
by Jonathan on November 3rd

Image of tunnel attributed to Richard Freeman Geeks often need to access their *nix computers from work. Doesn’t everyone want to do that? True geeks control their computers strictly using the command-line, of course, and the tool that is used to control a remote command-line session is ssh.

What one usually does is use a tool like corkscrew to send ssh traffic through an HTTP proxy.

At one place of employment, a known trick of using corkscrew to tunnel out using the work proxy failed, with this message:

Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. )

I tried all combinations of DOMAIN\USERNAME:PASSWORD in my corkscrew auth file but nothing worked.

If you see this message have no fear! What you need is a utility that can negotiate NTLM authorization with the proxy.

There are several open source tools that can do NTLM, of these I chose cntlm. Often ntlmaps is recommended as a utility to negotiate the authorization. The cntlm man page indicates that cntlm is far more efficient than ntlmaps, both in terms of memory and CPU usage.

One oddity about cntlm relative to other software that you may have worked with is that configuration is a two-step procedure: firstly you configure the software with a default config file, like the following (the settings that need to be configured for now in the first-step are in the first paragraph: username, domain, password, proxy, proxy-port):

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#


Username	__username__
Domain		__domain__
Password	__password__		# Use hashes instead (-H)
#Workstation	netbios_hostname	# Should be auto-guessed


Proxy		__PROXY__:__PROXY_PORT__


#
# This is the port number where Cntlm will listen
#
Listen		3128


#
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option, SOCKS5. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy	8010
#SOCKS5User	dave:password


#
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
#

Auth		LM
#Flags		0x06820000
#
# Enable to allow access from other computers
#
#Gateway	yes


#
# Useful in Gateway mode to allow/restrict certain IPs
#
#Allow		127.0.0.1
#Deny		0/0


#
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize	1024
#ISAScannerAgent	Wget/
#ISAScannerAgent	APT-HTTP/
#ISAScannerAgent	Yum/


#
# Headers which should be replaced if present in the request
#
#Header		User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)


#
# Tunnels mapping local port to a machine behind the proxy
# 
Tunnel		11443:__OUTSIDE_HOST.COM__:443

Then, run
cntlm -v -M http://google.com (or any other external site)

Cntlm will use this to assess the type of auth your proxy can handle. In my case I got back something like the following output:

Config profile  1/11... OK (HTTP code: 301)
----------------------------[ Profile  0 ]------
Auth            NTLMv2
PassNTLMv2      AE1234567890123234567890123456C4
------------------------------------------------

For the second configuration step, these two lines need to be pasted back into your configuration file replacing the line that said “Auth LM” (and you must do this for your own situation, you can’t reuse my lines).

Then, startup the cntlm daemon:


cntlm

Let’s test if it works. Note that in the above config file I have a tunnel defined (the last line of the config file). Now, in order to ssh to port 443 of host __outside_host.com__ which is outside the proxy, one can do so using:


ssh -p 11443 localhost

The above assumes that outside_host.com has an sshd listening on port 443.

Cntlm also works fine under windows. If you don’t have “administrator” authorisation under windows, you can still run the cntlm executable, but need to specify which cntlm.ini file to use, in other words, something like:


cntlm.exe -c cntlm.ini

Of course, if you’re running on windows you won’t have an ssh command line client, but putty can be used nicely for this purpose. Bear in mind that putty needs to be configured (for the default cntlm configuration above) to use an HTTP proxy on host “localhost” listening on port 3128.

Add a comment:

name
email
not displayed
homepage
 not displayed
 
Name and either email or homepage required.