SSH over HTTP Proxy that uses NTLM Authentication

As can be read on my post https://primalcortex.wordpress.com/2014/02/19/ssh-over-http-proxy/ we can use SSH to connect to a remote client, even when there is between the client and the server a HTTP Proxy.

But some proxys,like Microsoft ISA or Forefront, can require authentication, but only using the NTLM protocol for authentication and nothing else.

In this case the solution is to use TWO proxys where one of them is running on your own machine, that provides and negotiates the NTLM authentication to ISA/Forefront, and allows Firefox, Chrome and corkscreew to connect the internet using those proxys.

So what you need?

1) Install the cntlm proxy on your machine: apt-get install ctnlm

2) Edit the ctnlm.conf config file to config it: the upstream proxy and credentials. This file is normally located in /etc.

3) For example add/edit the following lines:

Username  mydomainusername
Domain  MSDomainName
Password cleartextpasswordP
Proxy upstreamproxy:port
Listen cntlmproxylistenport

A “real example”:

Username PrimalCortex
Domain  ACME
Password itsasecret
Proxy  corp_proxy.acme.com:8080
Listen 3128

Now, the cntlm proxy can be started: as root start the proxy /etc/init.d/cntlm start

Now you can point your clients to the local address 127.0.0.1:3128  (the port defined in the Listen config property), and the proxy access is automatic with the NTLM authentication running in the background.

So now corkscrew can work through a proxy that requires NTLM authentication, just edit the SSH config file and change the proxy address to the localhost and cntlm port:

Host 1.2.3.4
  ProxyCommand corkscrew 127.0.0.1 3128 %h %p

and that’s it.

Advertisements

11 thoughts on “SSH over HTTP Proxy that uses NTLM Authentication

  1. And what if I’m behind a proxy that uses ISA Server? I tried that, but I’m getting “Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. )”.
    Any idea on how to fix that?

    • Hi:

      You probably need to setup the upstream proxy with port 443.
      It really depends on your environment.

      Check first if using a browser that the ctntlm proxy works first.

  2. Hi thanks for the intial explanation but I need a little more help with the troubleshooting.

    I did everything from the two posts:
    I’ve configured corkscrew and cntlm (I already use it)

    % ssh -Tvvv hg@bitbucket.org
    OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
    debug1: Reading configuration data /home/maiko.costa/.ssh/config
    debug3: ciphers ok: [blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
    debug1: /home/maiko.costa/.ssh/config line 5: Applying options for bitbucket.org
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Executing proxy command: exec corkscrew 127.0.0.1 3128 bitbucket.org 22
    debug1: permanently_drop_suid: 1001
    debug1: identity file /home/maiko.costa/.ssh/identity type -1
    debug1: identity file /home/maiko.costa/.ssh/identity-cert type -1
    debug3: Incorrect RSA1 identifier
    debug3: Could not load “/home/maiko.costa/.ssh/id_rsa” as a RSA1 public key
    debug1: identity file /home/maiko.costa/.ssh/id_rsa type 1
    debug1: identity file /home/maiko.costa/.ssh/id_rsa-cert type -1
    debug1: identity file /home/maiko.costa/.ssh/id_dsa type -1
    debug1: identity file /home/maiko.costa/.ssh/id_dsa-cert type -1
    debug1: identity file /home/maiko.costa/.ssh/id
    _ecdsa type -1
    debug1: identity file /home/maiko.costa/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/maiko.costa/.ssh/id_ed25519 type -1
    debug1: identity file /home/maiko.costa/.ssh/id_ed25519-cert type -1
    ssh_exchange_identification: Connection closed by remote host

    ##sometimes the last line doesn’t appear but I cant connect##

    ~/.ssh/config
    ForwardX11 yes
    Protocol 2,1
    Compression yes
    Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    Host *
    ForwardAgent yes
    Host bitbucket.org
    ProxyCommand corkscrew 127.0.0.1 3128 %h %p
    ServerAliveInterval 10

    My cntlm.conf is right because I’m using it already.

  3. Hi, this seems now an issue with ssh itself, and not ctntlm.

    I had a similar issue just like yours that at the end ssh just closed the connection. The issue was related to the type of keys that the remote server accepted. What I recommend is to use ssh-keygen to generate the ssh keys and provide them to the ssh command with -i switch.
    Also it seems from the log, that ssh can’t find/load the id_rsa key, but that can be another issue.

  4. Ok. Is at home and at work the same computer? By other words, is the key files for ssh the same in both environments home/work?

      • While I still haven’t a clue of what might be wrong, we still need to make sure that the issue is with the proxy, not with ssh itself. So far my opinion is that the keys at you work computer are not working. For clearing this up, can you use your home computer ssh keys at your work computer and/or vice-versa?

  5. I have the same issue. I’m behind a Forefront TMG proxy and using cntlm with it.
    I browse the internet normally using cntlm and until 6 months ago, the ssh client was working flawlessly. Now I have the issue above and tried everything to solve it w/out success.
    The weird thing is that Putty works!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s