Wednesday, December 18, 2013

Apt-get behind a corporate proxy: A tale of Ironport, 401 errors, and NTLM

I was trying to fetch packages via aptitude and apt-get, but I would get "ign" or "401 Authorization Required" when attempting it.  I knew we had a proxy set up and figured out where it was. I tried all the advice to use user:pass@domain as the http_proxy value directly to no avail, but NTLM was the way to get out in our Windows oriented shop. Oddly, wget would work to download the package indexes, but apt-get could not.

A tool called cntlm creates a little proxy at a specified port on your box which handles authentication with the real proxy. I found a good guide here* for how to set it up, but see my notes and added clarification about the config parameters below. Keep in mind that there will be trial and error if you have an uncooperative network security team in your organization. I had to figure out where the proxy was, the port to use, and masquerade the server as my desktop workstation to get it all going. Good luck, and don't give up. Once you get the settings right, this works flawlessly.

Parameters in /etc/cntlm.conf:
    1. username - Active Directory username
    2. domain - Active Directory domain
    3. workstation - Name of the workstation (feel free to spoof this to that of another machine, NTLM can't stop you)
    4. proxy - the ip:port of the proxy
    5. listen - the local port to use for relaying your traffic 
* Note that the value in the -M parameter value in "cntlm -H -M" had to be something other than the proxy itself (eg in order to work for me.

* Note that the guide I linked shows two separate hashes for the password (PassNT and PassLM), but you may only get one with NTLMv2 (PassNTLMv2) as shown at the bottom of the cntlm page. This is fine, and just paste that one line into your /etc/cntlm.conf.