Total Pageviews

Sunday, 7 February 2016

代理服务器的认证工具- Cntlm

问题:
公司网络使用了域账号管理机制,上网必须配指定的机器名和域名,最头痛的是还需要密码,访问网站经常弹出输入用户名密码的窗口,很多软件都不能自动升级。
解决办法:
是使用 Cntlm Authentication Procxy进行代理的转换,把公司的代理转成本地的标准代理。这样虚拟机内部的系统也就可以上网了^_^。而且使用了cntlm以后,公司的限制就没有了.

About Cntlm proxy

Cntlm (user-friendly wiki / technical manual) is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. You can use a free OS and honor our noble idea, but you can't hide. Once you're behind those cold steel bars of a corporate proxy server requiring NTLM authentication, you're done with. The same even applies to 3rd party Windows applications, which don't support NTLM natively.
Here comes Cntlm. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. You can specify several "parent" proxies and Cntlm will try one after another until one works. All auth'd connections are cached and reused to achieve high efficiency. Just point your apps proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you're ready to do. This is useful on Windows, but essential for non-Microsoft OS's.
Cntlm integrates TCP/IP port forwarding (HTTP tunneling), SOCKS5 proxy mode, standalone proxy allowing you to browse intranet as well as Internet and to access corporate web servers with NTLM protection. There are many advanced features like NTLMv2 support, password protection, password hashing, completely mutliplatform code (running on just about every architecture and OS out there) and so much more. Cntlm eats up so little resources it can be used on embedded platforms as well - it's written in plain C without any external dependencies.
Cntlm has been tested against various ISA servers, WinGate, NetCache, Squid and Tinyproxy with and without NTLM auth.
Memory management audits and profiling are inherent part of the development process. Each change in the code is audited using Valgrind, which acts as a virtual CPU and checks behaviour of each instruction of the application being profiled. Using this marvelous tool, you can uncloak any imbalance in malloc/free calls (double free's or leaks), operations with uninitialized memory, access outside of properly allocated memory and oh so much more.

News

HELP US MAKE CNTLM GO ON (AND GET BETTER):
  • Donate. Thanks to SF.net's broken donations, we haven't received a single dollar in years, except from a couple of dedicated users, who recently took the extra steps of letting us know about this issue and donated manually Paypal to Paypal.
    - Because of the current financial/time constraint difficulties of the Cntlm project, I have now installed a direct Paypal Donate button on top of this page, which you can use to support Cntlm's developers for our usual services:
    • handling of new feature requests and bug fixes (donors receive preferential treatment)
    • personalized analyses & consultations regarding your particular enviroment
    • expert networking analyses from packet captures and related modifications to Cntlm
    • security assessments and systems-integration advice for Cntlm & other solutions
    Donors will be acknowledged and their names published on this site with full amount of the donation published! Please include your nickname, full name or email in the description and send me an email.
    - Being a truly free software, your generosity is the only means we have to support the ongoing existence of Cntlm as-is.
    - Paypal payments may also be used to request a specific new feature with top priority, however such cases must be agreed upon in advance.
  • Get involved. "Private" beta releases for the upcoming 0.93 stable can be downloaded directly from the development server via the following URL. They're the latest SVN code compiled after some of the release-delaying bugs have been fixed. Your help with testing of these binaries and feedback when appropriate will be much appreciated. They're the last rounds before the first stable after 0.35.1 is released:
    • http://ftp.awk.cz/pub (0.93beta5)
    • Beta5 is the latest version compiled for all platforms from SVN. There is a big compatiblity enhancement with difficult proxies, like NetCache in certain configurations, etc. Please do test these versions if you can. Send your emails to cntlm(at)awk(dot)cz.
[2012-04-29] UNIX man(1) page is updated incl. the generated PDF manual (also directly downloadable). WebSVN access and RSS feed are now enabled and working again, same setup as before (see our Cntlm source code HOWTOpage for details).
[2012-03-07] Version 0.92.3 available (the whole branch retroactively un-stabled, because of crashes on Windows; first stable version after 0.35.1 will be 0.93). Fixes Windows 0.92.2 installer, which was missing new DLL's from Cygwin. Previous 0.92 enhancements include: introduced a plain ZIP release package for manual installation without Admin privileges, fixed race condition in 0.92 which caused crashes on Windows, interactive password input doesn't strip trailing whitespaces anymore, added proper handling of the "Program Files (x86)" hack in Windows, proxy hostname is resolved at run-time not during startup (as requested), ISA A/V scanner (GFI WebMonitor) handler is now bypassed when download size is unknown, fixed a bug in downloading files larger than 2GB, fixed the GIT + HTTPS issue.
[2012-03-02] Version 0.92.2 available (retroactively un-stabled). Some fixes.
[2011-11-28] Version 0.92 available (retroactively un-stabled). Several bugfixes and many chages and features since the last stable version.
[2010-04-20] Testing version 0.91rc5 available. There are still some planned features missing, but this version is mainly a fixpack release. Whoever is using these RC's, please do upgrade for your own sake. Cheers.
[2010-03-30] Testing version 0.91rc2 available. Features remaining to be implemented: optional limit of max auth tries (account protection); in case of failed auth return proxy error, but translate NTLM to basic; run-time switching between normal mode (work) and full direct mode (home). Apart from fixes, this testing version includes:
  • Allow empty domain, username, password
  • Updated NTLM autodetection mode
[2010-03-20] A new testing version has been released in DEB, RPM and Windows packages. I'm sure it's ready for prime time, but I'll wait a bit for it to get tested before releasing official stable packages. Apart from a huge rewrite, Cntlm has some news for you:
  • Standalone proxy. Cntlm has been reworked in a way that allows you either to use it like before, with a parent proxy, or as an independent proxy altogether (think Squid, Tinyproxy, etc). The most common configuration, however, will probably be a combination of the two. Use the new NoProxy option to specify which URL's should go through the parent proxy and which URL's should Cntlm process directly, via direct ("intranet") connections. This allows you to set Cntlm permanently in your applications and use it for all links within your company and on the Internet.
  • WWW authentication. Another important feature is support for NTLM web server authentication. This for example means you'll be able to access even those protected sites you had to use Windows + IE for in the past. This is probably the most useful outcome of the rewrite. Before then, I was occassionally forced to use a virtualized IE to access some parts of the intranet. Not any more. Everything works transparently on my Linux notebook with plain Firefox.
  • Windows installer. The new version sports a brand new automated installer based on InnoSetup software - Start Menu integration, uninstaller and on-line resource links are among the most noticeable new features. Starting and stopping is much easier now for the regular guy.
  • Source compilation. Regular people just don't need to know the particularities of all the different packaging systems out there. Users can use simple "make deb", "make rpm" or "make win" to build a complete installation package for their system.
  • GFI WebMonitor / ISA scanner Plugin. Updated scanner module to work with the latest version.
[2010-02-26] SVN repository has been updated with a collection of fixes and other changes request by people during the last year. I'm sorry for being a bit slow on the uptake, but I'm very busy. Everything I knew about has been implemented. I won't make a new release today, though. I hope you people test the new code in the meantime and let me know if you find any bugs! :)
[2007-11-02] New version 0.35 is here. The code was refactored to facilitate future support of multiple profiles and other planned extensions. I have added one symbol definition in the Makefile to make newer socket API constants visible on FreeBSD, which is now supported. Cntlm has finally made it into Debian, which is great! This means other deb-based distributions can use ready-made official packages. On Ubuntu, we're confirmed running since 0.35 (older versions have dash(1) incompatible init script). There was a bug preventing Cntlm from working on some proxies, when they didn't require any authentication; this was reported for the Wingate proxy, which is now confirmed working. There was a sinister typo in the tunneling routine and it made tunnels kinda unstable under certain circumstances (e.g. SSH over HTTPS). It's fixed now, so you should update. The new big shiny feature is:
  • Builtin SOCKS5 proxy server, which allows almost any TCP/IP application to use a proxy and not be aware of it. You can use tsocks(1) wrapper for this, just make it connect to Cntlm's SOCKS port. DNS and IPv4 based connections are supported. If you don't have external DNS access, your application will have to resolve via SOCKS remotely or use IP addresses. The former can be forced on some applications (Firefox hasnetwork.proxy.socks_remote_dns configuration key accessible via "about:config" URI). This allows proxy- and auth-unaware apps to work, but the policy of your proxy is still the limiting factor here, there's no magical proxy-hacking going on. You will be granted connects only to CONNECT-able (or "SSL") ports. The SOCKS5 proxy can be setup open to everyone or to require authentication. Several accounts (username:password combinations) can be defined.
[2007-08-26] New version 0.34(.1) is finally here. Since I was busy at work, I took my time to spit it out, but I've implemented most of the stuff I could think of. :) There are also three useful bug fixes and many new features. The major ones being:
  • Implementation of the the rest of NTLM authentications, tested against both Windows/ISA and Samba/Squid: full featured NTLMv2 with its new strong password hash and NTLM2 Session Response (NTLMv1.5) offering better network security than NTLM/LM in non-NTLMv2 environments. With these two new algorithms, Cntlm is THE ultimate auth proxy :) supporting every NTLM flavour invented. If you use Cntlm's autodetection, your password is probably better protected than it would be with native Windows. :o)
  • Magic NTLM autodetection mode. It tries all algorithms with known working presets and tells you how to setup Cntlm to use best available security (you can copy&paste the result).
  • Configuration using password hashes in place of the actual password (plus hash-and-print mode -H)
  • Interactive password prompt to eliminate any form of password storage
  • Plaintext password (if used) is hashed at startup and its traces are removed from the process memory to prevent dumping it (useful in untrusted environment)
  • Complete control over NTLM auth (preset+manual Flags option, allowing exotic settings for weird/old proxies)
  • Trans-isa-scan: a plugin for automatic and transparent handling of GFI WebMonitor for ISA Server, which breaks all automatic downloaders and system updates - in the true spirit of Microsoft-like ignorance, it returns a dynamic HTML page showing downloading and scanning progress instead of the requested file. When a button appears, it has to be clicked to get the actual file from ISA's cache. Cntlm can now do this transparently for you, depending on the size of the download or application's User-Agent header. This allows e.g. Apt, Wget or Yum to do their job, while having the scanner page displayed in the browser.
  • Workstation name autodetection
  • "Access denied" page for ACL rejects
  • Detailed debug logging with NTLM dumps, tracefile creation
  • Easier compilation, autoconf-like feature test macros
  • RedHat and SuSE rpm packaging support
  • Windows installer doesn't overwrite old INI file
[2007-07-17] New version 0.33 switches automatically and temporarily to NTLM-to-basic if config file credentials fail. The most changes happened around packaging, though. The debian directory has been moved outside of the distribution package. This was suggested by David Watson, a Debian maintainer, who was so kind as to offer sponsorship for Cntlm. In other words, Cntlm is going to be included as part of the Debian GNU/Linux, my favourite distro since 1998. :) This however changes what you have to do to build debs from sources. Follow the new "Debian sources" link in the "Downloads" section. There's a small HOWTO as well. Cntlm has also been ported to the Windows platform, where it runs as a service. See Win32 downloads below and the included README.
[2007-07-12] New version 0.32 adds support for multiple users per one Cntlm instance, which has been requested on the feature suggestion tracker (and implemented the following day:). This feature is called NTLM-to-basic and allows passing credentials using the standard "basic" proxy authentication scheme (e.g. via browser's popup dialog or proxy settings in other applications). This implementation detects failed authentication attempts and makes it possible for you to keep trying (until you get it right or give up) by informing the client (browser) about the actual result. Other proxies don't do any verification, always accept your first try and therefore the client remembers it; if you made a mistake, you'd get "access denied" page for any URL and would have to restart your browser to try again.
[2007-07-09] New version 0.31.1 adds full chunked encoding support, including extensions and trailers.
[2007-07-02] The first version 0.31 fixes ftp:// access, which might not work on some exotic ISAs and adds support for the chunked transfer-encoding. Chunked support is a major benefit over other NTLM proxies. If you use HTTP/1.1 clients (all modern browsers in the default configuration) and your proxy doesn't automatically decode it behind the scenes (e.g. new ISA server I have to use ATM), you are unlikey to be able to browse most of the dynamic sites (timeouts, partially rendered pages, etc). There are some other compatibility fixes for new misbehaving ISA servers.
WARNING: please understand that any unannounced versions on the FTP are for internal/development purposes only, usually beta testing. Until properly advertised on the official homepage, http://cntlm.sf.net, and uploaded to sourceforge.net archives, it is to be considered highly unstable and ought to be replaced by the final build when available.

Configuration hints

After installation, you have to locate the configuration file. The default for Linux packages is /etc/cntlm.conf, for locally compiled source distribution ("./configure; make; make install") it's /usr/local/etc/cntlm.conf and for Windows installer it's %PROGRAMFILES%\Cntlm\cntlm.ini (usually X:\Program Files\Cntlm\cntlm.ini, where X is your system drive).
When you have found it, fire up your favourite editor (not a word processor) and open the file. First a few rules, though - lines beginning with a hash, #, are comments: completely ignored. There is no required formatting and option names are case insensitive. Option values are parsed literally: a quote means a quote and is taken as part of the string, so do not quote, escape, etc. Anyway, you need to set these core options:
  • Username - your domain/proxy account name
  • Domain - the actual domain name
  • Workstation - NetBIOS name of your workstation; Cntlm tries to autodetect it, but you might want to set it explicitly should dialect detection fail (see below)
  • Proxy - IP address (or ping-able hostname) of your proxy; if you use several alternative proxies or know of backup ones, use this option multiple times; if one stops working, Cntlm will move on to the next
  • Listen - local port number which Cntlm should bind to; the default is OK, but remember you can't have more than one application per port; you can use netstat to list used up ports (lines with LISTEN)
Next, we need to find out which NTLM dialect your proxy understands. It's a jungle out there and it can be quite challenging (i.e. boooring) to find a working NTLM setup - thank Bill. Good thing Cntlm has this magic switch to do it for you - thank me. :) Save the configuration and run the following command; when asked, enter your proxy access password:
$ cntlm -I -M http://test.com
Config profile  1/11... OK (HTTP code: 200)
Config profile  2/11... OK (HTTP code: 200)
Config profile  3/11... OK (HTTP code: 200)
Config profile  4/11... OK (HTTP code: 200)
Config profile  5/11... OK (HTTP code: 200)
Config profile  6/11... Credentials rejected
Config profile  7/11... Credentials rejected
Config profile  8/11... OK (HTTP code: 200)
Config profile  9/11... OK (HTTP code: 200)
Config profile 10/11... OK (HTTP code: 200)
Config profile 11/11... OK (HTTP code: 200)
----------------------------[ Profile  0 ]------
Auth            NTLMv2
PassNTLMv2      4AC6525378DF8C69CF6B6234532943AC
------------------------------------------------
You see, NTLMv2 - I told you to use it, now it's official. :) BTW, here you can see all tests running - it's just for demonstration purposes. Normal version finishes when it finds the first (i.e. most secure) working setup.
When you get your options (might be more than just Auth and Pass* here), remove all previous password settings and paste the profile into the configuration file and save it. (Re)start Cntlm and it should work. To use it in your applications, replace the old proxy settings with "localhost", port same as you chose for Listen.
This was just a simple 101 lesson to help you kick-start the proxy. You should still RTFM. ;)

Troubleshooting

If you have problems, you can see what's going on in the system logger (Linux: daemon.log, messages or syslog in /var/log/; on Windows using Control Panels - Administration - Logging) or run Cntlm from the command line with -v -f(debug mode). If that doesn't give you a hint, look at our wiki for troubleshooting tips and also check out the Help Forum and the Bug Tracker to see if somebody else didn't have a similar problem. When you are out of your wits and none of this helped, read the last chapter of our wiki and see how to request support.

System requirements

Cntlm has no dependencies, but you'll obviously need compiler runtime libraries and, depending on your distribution, package build tools. Cntlm uses ISO C99 and POSIX.1-2001 interface (i.e. SUSv3 / UNIX 03), but will compile with older C/POSIX standards as well (incl. other threading libraries). Compilation should succeed on any UNIX-like system (both little and big endian; GCC and IBM XL C/C++ compilers being officially supported) having sane libc and POSIX threads. You don't need any bloated interpreter like Python or Perl and fight modules or libraries - one binary does it all. Compiles and runs on LinuxFreeBSDMacOS XAIXSolaris and Windows (other platforms probably too, just not confirmed yet).

Roadmap

At the beginning, Cntlm aimed for HTTP/1.0 and 1.1 compliance and addressed the problems users had with other proxies (poor response time; CPU/RAM hogging; breaking HTTP, Subversion, instant messaging, tunneling; failed requests; timeouts; you know what I mean if you had to use them). Now that this stuff has been taken care of, I'll move on to implementing extra features like multiple profiles and multiplatform GUI for easy switching of preconfigured profiles depending on your location. Feel free to suggest new features yourself.

Feedback and suggestions

I'd like to hear any feature suggestionbug report or support request you might have on your mind. If you want to share some other piece of advice, praise :), or just chat with other Cntlm users, check out the discussion forum. Don't be lazy and find yourself the time to let us know. :)
When reporting a bug or other problems, follow the instructions in our wiki.

Downloads

If you prefer binary/source packages, visit our SF.net download page or my FTP, where you can find all final releases. Alternatively, you can stay up to date with the latest research :) and get the development version from SVN. Also note that some distributions have already included Cntlm in their repositories.
Official packages [sf.net]: SF.net downloads for Cntlm
Official / development packages [FTP/HTTP]: http://ftp.awk.cz/cntlm/
Subversion access: Cntlm source code HOWTO
Get more info on our SF.net project page.

from  http://cntlm.sourceforge.net/