cntlm man page on DragonFly
[printable version]
CNTLM(1) Accelerating NTLM/NTLMv2 Authentication Proxy CNTLM(1)
NAME
cntlm - authenticating HTTP(S) proxy with TCP/IP tunneling and acceler‐
ation
SYNOPSIS
cntlm [ -AaBcDdFfgHhILlMPprSsTUuvw ] [ host1 port1 | host1:port1 ] ...
hostN portN
DESCRIPTION
Cntlm is an NTLM/NTLM SR/NTLMv2 authenticating HTTP proxy. It stands
between your applications and the corporate proxy, adding NTLM authen‐
tication on-the-fly. You can specify several "parent" proxies and Cntlm
will try one after another until one works. All auth'd connections are
cached and reused to achieve high efficiency. Just point your apps
proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you're
ready to do. This is useful on Windows, but essential for non-Microsoft
OS's. Proxy IP addresses can be specified via CLI (host1:port1 to
hostN:portN) or the configuration file.
Another option is to have cntlm authenticate your local web connections
without any parent proxies. It can work in a stand-alone mode, just
like Squid or ISA. By default, all requests are forwarded to parent
proxies, but the user can set a "NoProxy" list, a list of URL matching
wild-card patterns, that route between direct and forward modes. Cntlm
can also recognize when all your corporate proxies are unavailable and
switch to stand-alone mode automatically (and then back again). Aside
from WWW and PROXY authentication, cntlm provides a useful feature
enabling users migrate their laptops between work and home without
changing proxy settings in their applications (using cntlm all the
time). Cntlm also integrates transparent TCP/IP port forwarding (tun‐
neling). Each tunnel opens a new listening socket on local machine and
and forwards all connections to the target host behind the parent
proxy. Instead of these SSH-like tunnels, user can also choose a lim‐
ited SOCKS5 interface.
Core cntlm function had been similar to the late NTLMAPS, but today,
cntlm has evolved way beyond anything any other application of this
type can offer. The feature list below speaks for itself. Cntlm has
many security/privacy features like NTLMv2 support and password protec‐
tion - it is possible to substitute password hashes (which can be
obtained using -H) in place of the actual password or to enter the
password interactively (on start-up or via "basic" HTTP auth transla‐
tion). If plaintext password is used, it is automatically hashed during
the startup and all traces of it are removed from the process memory.
In addition to minimal use of system resources, cntlm achieves higher
throughput on a given link. By caching authenticated connections, it
acts as an HTTP accelerator; This way, the 5-way auth handshake for
each connection is transparently eliminated, providing immediate access
most of the time. Cntlm never caches a request/reply body in memory, in
fact, no traffic is generated except for the exchange of auth headers
until the client <-> server connection is fully negotiated. Only then
real data transfer takes place. Cntlm is written in optimized C and
easily achieves fifteen times faster responses than others.
An example of cntlm compared to NTLMAPS: cntlm gave avg 76 kB/s with
peak CPU usage of 0.3% whereas with NTLMAPS it was avg 48 kB/s with
peak CPU at 98% (Pentium M 1.8 GHz). The extreme difference in resource
usage is one of many important benefits for laptop use. Peak memory
consumption (several complex sites, 50 paralell connections/threads;
values are in KiB):
VSZ RSS CMD
3204 1436 ./cntlm -f -c ./cntlm.conf -P pid
411604 6264 /usr/share/ntlmaps/main.py -c /etc/ntlmaps/server.cfg
Inherent part of the development is profiling and memory management
screening using Valgrind. The source distribution contains a file
called valgrind.txt, where you can see the report confirming zero
leaks, no access to unallocated memory, no usage of uninitialized data
- all traced down to each instruction emulated in Valgrind's virtual
CPU during a typical production lifetime of the proxy.
OPTIONS
Most options can be pre-set in a configuration file. Specifying an
option more than once is not an error, but cntlm ignores all occurences
except the last one. This does not apply to options like -L, each of
which creates a new instance of some feature. Cntlm can be built with a
hardcoded configuration file (e.g. /etc/cntlm.conf), which is always
loaded, if possible. See -c option on how to override some or all of
its settings.
Use -h to see available options with short description.
-A IP/mask (Allow)
Allow ACL rule. Together with -D (Deny) they are the two rules
allowed in ACL policy. It is more usual to have this in a con‐
figuration file, but Cntlm follows the premise that you can do
the same on the command-line as you can using the config file.
When Cntlm receives a connection request, it decides whether to
allow or deny it. All ACL rules are stored in a list in the same
order as specified. Cntlm then walks the list and the first
IP/mask rule that matches the request source address is applied.
The mask can be any number from 0 to 32, where 32 is the default
(that is exact IP match). This notation is also known as CIDR.
If you want to match everything, use 0/0 or an asterix. ACLs on
the command-line take precedence over those in the config file.
In such case, you will see info about that in the log (among the
list of unused options). There you can also see warnings about
possibly incorrect subnet spec, that's when the IP part has more
bits than you declare by mask (e.g. 10.20.30.40/24 should be
10.20.30.0/24).
-a NTLMv2 | NTLM2SR | NT | NTLM | LM (Auth)
Authentication type. NTLM(v2) comprises of one or two hashed
responses, NT and LM or NTLM2SR or NTv2 and LMv2, which are com‐
puted from the password hash. Each response uses a different
hashing algorithm; as new response types were invented, stronger
algorithms were used. When you first install cntlm, find the
strongest one which works for you (preferably using -M). Above
they are listed from strongest to weakest. Very old servers or
dedicated HW proxies might be unable to process anything but LM.
If none of those work, see compatibility flags option -F or sub‐
mit a Support Request.
IMPORTANT: Although NTLMv2 is not widely adopted (i.e.
enforced), it is supported on all Windows since NT 4.0 SP4.
That's for a very long time! I strongly suggest you use it to
protect your credentials on-line. You should also replace plain‐
text Password options with hashed Pass[NTLMv2|NT|LM] equiva‐
lents. NTLMv2 is the most and possibly the only secure authenti‐
cation of the NTLM family.
-B (NTLMToBasic)
This option enables "NTLM-to-basic", which allows you to use one
cntlm for multiple users. Please note that all security of NTLM
is lost this way. Basic auth uses just a simple encoding algo‐
rithm to "hide" your credentials and it is moderately easy to
sniff them.
IMPORTANT: HTTP protocol obviously has means to negotiate autho‐
rization before letting you through, but TCP/IP doesn't (i.e.
open port is open port). If you use NTLM-to-basic and DON'T
specify some username/password in the configuration file, you
are bound to loose tunneling features, because cntlm alone won't
know your credentials.
Because NTLM identification has at least three parts (username,
password, domain) and the basic authentication provides fields
for only two (username, password), you have to smuggle the
domain part somewhere. You can set the Domain config/cmd-line
parameter, which will then be used for all users, who don't
specify their domain as a part of the username. To do that and
override the global domain setting, use this instead of plain
username in the password dialog: "domain\username".
-c <filename>
Configuration file. Command-line options, if used, override its
single options or are added at the top of the list for multi
options (tunnels, parent proxies, etc) with the exception of
ACLs, which are completely overriden. Use /dev/null to disable
any config file.
-D IP/mask (Deny)
Deny ACL rule. See option -A above.
-d <domain> (Domain)
The domain or workgroup of the proxy account. This value can
also be specified as a part of the username with -u.
-F <flags> (Flags)
NTLM authentication flags. This option is rater delicate and I
do not recommend to change the default built-in values unless
you had no success with parent proxy auth and tried magic
autodetection (-M) and all possible values for the Auth option
(-a). Remember that each NT/LM hash combination requires differ‐
ent flags. This option is sort of a complete "manual override"
and you'll have to deal with it yourself.
-f Run in console as a foreground job, do not fork into background.
In this mode, all syslog messages will be echoed to the console
(on platforms which support syslog LOG_PERROR option). Though
cntlm is primarily designed as a classic UNIX daemon with sys‐
logd logging, it provides detailed verbose mode without detach‐
ing from the controlling terminal; see -v. In any case, all
error and diagnostic messages are always sent to the system log‐
ger.
-G <pattern> (ISAScannerAgent)
User-Agent matching (case insensitive) for trans-isa-scan plugin
(see -S for explanation). Positive match identifies requests
(applications) for which the plugin should be enabled without
considering the size of the download (see -S). You can use shell
wildcard characters, namely "*", "?" and "[]". If used without
-S or ISAScannerSize, the max_size_in_kb is internally set to
infinity, so the plugin will be active ONLY for selected User-
Agents, regardless of download size.
-g (Gateway)
Gateway mode, cntlm listens on all network interfaces. Default
is to bind just loopback. That way, only local processes can
connect to cntlm. In the gateway mode though, cntlm listens on
all interfaces and is accessible to other machines on the net‐
work. Please note that with this option the command-line order
matters when specifying proxy or tunnel local (listening) ports.
Those positioned before it will bind only loopback; those after
will be public.
IMPORTANT: All of the above applies only to local ports for
which you didn't specify any source address. If you did, cntlm
tries to bind the given port only on the specified interface (or
rather IP address).
-H Use this option to get hashes for password-less configuration.
In this mode, cntlm prints the results and exits. You can just
copy & paste right into the config file. You ought to use this
option with explicit -u and -d, because some hashes include the
username and domain name in the calculation. Do see -a for secu‐
rity recommendations.
-h Display help (available options with a short description) and
exit.
-I Interactive password prompt. Any password settings from the com‐
mand line or config file is ignored and a password prompt is
issued. Use this option only from shell.
-L [<saddr>:]<lport>:<rhost>:<rport> (Tunnel)
Tunnel definition. The syntax is the same as in OpenSSH's local
forwarding (-L), with a new optional prefix, saddr - the source
IP address to bind the lport to. Cntlm will listen for incomming
connections on the local port lport, forwarding every new con‐
nection through the parent proxy to the rhost:rport (authenti‐
cating on the go). This option can be used multiple times for
unlimited number of tunnels, with or without the saddr option.
See -g for the details concerning local port binding when saddr
is not used.
Please note that many corporate proxies do not allow connections
to ports other than 443 (https), but if you run your target ser‐
vice on this port, you should be safe. Connect to HTTPS is
"always" allowed, otherwise nobody would be able to browse
https:// sites. In any case, first try if you can establish a
connection through the tunnel, before you rely on it. This fea‐
ture does the same job as tools like corkscrew(1), but instead
of communicating over a terminal, cntlm keeps it TCP/IP.
-l [<saddr>:]<lport> (Listen)
Local port for the cntlm proxy service. Use the number you have
chosen here and the hostname of the machine running cntlm (pos‐
sibly localhost) as proxy settings in your browser and/or the
environment. Most applications (including console) support the
notion of proxy to connect to other hosts. On POSIX, set the
following variables to use e.g. wget(1) without any trouble
(fill in the actual address of cntlm):
$ export ftp_proxy=http://localhost:3128
$ export http_proxy=$ftp_proxy
$ export https_proxy=$ftp_proxy
You can choose to run the proxy service on more than one port,
in such case just use this option as many times as necessary.
But unlike tunnel definition, cntlm fails to start if it cannot
bind all of the proxy service ports. Proxy service port can also
be bound selectively. Use saddr to pick source IP address to
bind the lport to. This allows you, for example, to run the ser‐
vice on different ports for subnet A and B and make it invisible
for subnet C. See -g for the details concerning local port bind‐
ing when saddr is not used.
-M <testurl>
Run magic NTLM dialect detection. In this mode, cntlm tries some
known working presets against your proxy. Probe requests are
made for the specified testurl, with the strongest hashes going
first. When finished, settings for the most secure setup are
printed. Although the detection will tell you which and how to
use Auth, Flags and password-hash options, you have to configure
at least your credentials and proxy address first. You can use
-I to enter your password interactively.
-N <pattern1>[,<patternN] (NoProxy)
Avoid parent proxy for these host names. All matching URL's will
be proxied directly by cntlm as a stand-alone proxy. Cntlm sup‐
ports WWW authentication in this mode, thus allowing you to
access local intranet sites with corporate NTLM authentication.
Hopefully, you won't need that virtualized MSIE any more. :)
-O [<saddr>:]<port_number> (SOCKS5Proxy)
Enable SOCKS5 proxy and make it listen on local port port_number
(source IP spec is also possible, as with all options). By
default, there will be no restrictions as to who can use this
service. Some clients don't even support SOCKS5 authentication
(e.g. almost all browsers). If you wish to enforce authentica‐
tion, use -R or its equivalent option, SOCKS5User. As with port
tunneling, it is up to the parent proxy whether it will allow
connection to any requested host:port. This feature can be used
with tsocks(1) to make most TCP/IP applications go thru the
proxy rather than directly (only outgoing connections will work,
obviously). To make apps work without DNS server, it is impor‐
tant that they don't resolve themselves, but using SOCKS. E.g.
Firefox has this option available through URI "about:config",
key name network.proxy.socks_remote_dns, which must be set to
true. Proxy-unaware tsocksified apps, will have to be configured
using IP addresses to prevent them from DNS resolving.
-P <pidfile>
Create a PID file pidfile upon startup. If the specified file
exists, it is truncated and overwritten. This option is
intended for use with start-stop-daemon(8) and other servicing
mechanisms. Please note that the PID file is created AFTER the
process drops its privileges and forks. When the daemon finishes
cleanly, the file is removed.
-p <password> (Password, PassNT, ...)
Proxy account password. Cntlm deletes the password from the mem‐
ory, to make it invisible in /proc or with inspection tools like
ps(1), but the preferable way of setting password is the config‐
uration file. To that end, you can use Password option (for
plaintext, human readable format), or "encrypt" your password
via -H and then use PassNTLMv2, PassNT and/or PassLM.
-R <username>:<password> (SOCKS5User)
If SOCKS5 proxy is enabled, this option can make it accessible
only to those who have been authorized. It can be used several
times, to create a whole list of accounts (allowed user:pass
combinations).
-S <max_size_in_kb> (ISAScannerSize)
Enables the plugin for transparent handling of the dreaded ISA
AV scanner, which returns an interactive HTTP page (displaying
the scanning progress) instead of the file/data you've
requested, every time it feels like scanning the contents. This
presumptuous behavior breaks every automated downloader, updater
and basically EVERY application relying on downloads (e.g. wget,
apt-get).
The parameter max_size_in_kb allows you to choose maximum down‐
load size you wish to handle by the plugin (see below why you
might want that). If the file size is bigger than this, cntlm
forwards you the interactive page, effectively disabling the
plugin for that download. Zero means no limit. Use -G/ISAScan‐
nerAgent to identify applications for which max_size_in_kb
should be ignored (forcing the plugin). It works by matching
User-Agent header and is necessary for e.g. wget, apt-get and
yum, which would fail if the response is some HTTP page instead
of requested data.
How it works: the client asks for a file, cntlm detects ISA's
bullshit response and waits for the secret link to ISA's cache,
which comes no sooner than the file is downloaded and scanned by
ISA. Only then can cntlm make the second request for the real
file and forward it along with correct headers to the client.
The client doesn't timeout while waiting for it, b/c cntlm is
periodically sending an extra "keepalive" header, but the user
might get nervous not seeing the progress bar move. It's of
course purely psychological matter, there's no difference if
cntlm or your browser requests the scanned file - you must wait
for ISA to do it's job and download then. You just expect to see
some progress indicator move, which is all what the ISA's page
does: it shows HTML countdown.
If the plugin cannot parse the interactive page for some reason
(unknown formatting, etc.), it quits and the page is forwarded
to you - it's never "lost".
The keepalive header is called ISA-Scanner and shows ISA's
progress, e.g.:
HTTP/1.1 200 OK
ISA-Scanner: 1000 of 10000
ISA-Scanner: 2000 of 10000
...
-r "<name>: <value>" (Header)
Header substitution. Every client's request will be processed
and any headers defined using -r or in the configuration file
will be added to it. In case the header is already present, its
value will be replaced.
-s Serializes all requests by not using concurrent threads for
proxy (tunneling still works in parallel). This has a horrible
impact on performance and is available only for debugging pur‐
poses. When used with -v, it yields nice sequential debug log,
where requests take turns.
-T <filename>
Used in combination with -v to save the debug output into a
trace file. It should be placed as the first parameter on the
command line. To prevent data loss, it never overwrites an
existing file. You have to pick a unique name or manually delete
the old file.
-U <uid>
When executed as root, do the stuff that needs such permissions
(read config, bind ports, etc.) and then immediately drop privi‐
leges and change to uid. This parameter can be either number or
system username. If you use a number, both uid and gid of the
process will be set to this value; if you specify a username,
uid and gid will be set according to that user's uid and primary
gid as defined in /etc/passwd. You should use the latter, possi‐
bly using a dedicated cntlm account. As with any daemon, you are
strongly advised to run cntlm under a non-privileged account.
-u <user>[@<domain>] (Username)
Proxy account/user name. Domain can be be entered as well.
-v Print debugging information. Automatically enables (-f).
-w <workstation> (Workstation)
Workstation NetBIOS name. Do not use full qualified domain name
(FQDN) here. Just the first part. If not specified, cntlm tries
to get the system hostname and if that fails, uses "cntlm" -
it's because some proxies require this field non-empty.
CONFIGURATION
Configuration file is basically an INI file, except there are no "="
between keys and values. It comprises of whitespace delimited keyword
and value pairs. Apart from that, there are sections as well, they have
the usual "[section_name]" syntax. Comment begins with a hash "#" or a
semicolon ";" and can be anywhere in the file. Everything after the
mark up until EOL is a comment. Values can contain any characters,
including whitespace. You can use double quotes around the value to
set a string containing special characters like spaces, pound signs,
etc. No escape sequences are allowed in quoted strings.
There are two types of keywords, local and global. Local options spec‐
ify authentication details per domain (or location). Global keywords
apply to all sections and proxies. They should be placed before all
sections, but it's not necessary. They are: Allow, Deny, Gateway, Lis‐
ten, SOCKS5Proxy, SOCKS5User, NTLMToBasic, Tunnel.
All available keywords are listed here, full descriptions are in the
OPTIONS section:
Allow <IP>[/<mask>]
ACL allow rule, see -A.
Auth NTLMv2 | NTLM2SR | NT | NTLM | LM
Select any possible combination of NTLM hashes using a single
parameter.
Deny <IP>[/<mask>]
ACL deny rule, see -A.
Domain <domain_name>
Proxy account domain/workgroup name.
Flags <flags>
NTLM authentication flags. See -F for details.
Gateway yes|no
Gateway mode. In the configuration file, order doesn't matter.
Gateway mode applies the same to all tunnels.
Header <headername: value>
Header substitution. See -r for details and remember, no quot‐
ing.
ISAScannerAgent <pattern>
Wildcard-enabled (*, ?, []) case insensitive User-Agent string
matching for the trans-isa-plugin. If you don't define ISAScan‐
nerSize, it is internally set to infinity, i.e. disabling the
plugin for all downloads except those agent-matched ones. See
-G.
ISAScannerSize <max_size_in_kb>
Enable trans-isa-scan plugin. See -S for more.
Listen [<saddr>:]<port_number>
Local port number for the cntlm's proxy service. See -l for
more.
Password <password>
Proxy account password. As with any other option, the value
(password) can be enclosed in double quotes (") in case it con‐
tains special characters like spaces, pound signs, etc.
PassNTLMv2, PassNT, PassLM <password>
Hashes of the proxy account password (see -H and -a). When you
want to use hashes in the config (instead of plaintext pass‐
word), each Auth settings requires different options:
Settings | Requires
-------------+-----------------
Auth NTLMv2 | PassNTLMv2
Auth NTLM2SR | PassNT
Auth NT | PassNT
Auth NTLM | PassNT + PassLM
Auth LM | PassLM
Proxy <host:port>
Parent proxy, which requires authentication. The same as proxy
on the command-line, can be used more than once to specify an
arbitrary number of proxies. Should one proxy fail, cntlm auto‐
matically moves on to the next one. The connect request fails
only if the whole list of proxies is scanned and (for each
request) and found to be invalid. Command-line takes precedence
over the configuration file.
NoProxy <pattern1>, <pattern2>, ...
Avoid parent proxy for these host names. All matching URL's will
be proxied directly by cntlm as a stand-alone proxy. Cntlm sup‐
ports WWW authentication in this mode, thus allowing you to
access local intranet sites with corporate NTLM authentication.
Hopefully, you won't need that virtualized MSIE any more. :) See
-N for more.
SOCKS5Proxy [<saddr>:]<lport>
Enable SOCKS5 proxy. See -O for more.
SOCKS5User <username>:<password>
Create a new SOCKS5 proxy account. See -R for more.
NTLMToBasic yes|no
Enable/disable NTLM-to-basic authenticatoin. See -B for more.
Tunnel [<saddr>:]<lport>:<rhost>:<rport>
Tunnel definition. See -L for more.
Username
Proxy account name, without the possibility to include domain
name ('at' sign is interpreted literally).
Workstation <hostname>
The hostname of your workstation.
FILES
The optional location of the configuration file is defined in the Make‐
file, with the default for 1) deb/rpm package, 2) traditional "make;
make install" and 3) Windows installer, respectively, being:
1) /etc/cntlm.conf
2) /usr/local/etc/cntlm.conf
3) %PROGRAMFILES%\Cntlm\cntlm.ini
PORTING
Cntlm is being used on many platforms, little and big endian machines,
so users should not have any problems with compilation. Nowadays, cntlm
is a standard tool in most Linux distributions and there are various
repositories for other UNIX-like systems. Personally, I release Debian
Linux (deb), RedHat Linux (rpm) and Windows (exe) binaries, but most
people get cntlm from their OS distributor.
For compilation details, see README in the source distribution. Porting
to any POSIX conforming OS shouldn't be more than a matter of a Make‐
file rearrangement. Cntlm uses strictly POSIX.1-2001 interfaces with
ISO C99 libc and is also compliant with SUSv3. Since version 0.33,
cntlm supports Windows using a POSIX emulation layer called Cygwin.
BUGS
To report a bug, enable the debug output, save it to a file and submit
on-line along with a detailed description of the problem and how to
reproduce it. Visit the home page for more.
cntlm -T cntlmtrace.log -v -s ... the rest ...
AUTHOR
Written by David Kubicek <dave (o) awk.cz>
Homepage: http://cntlm.sourceforge.net/
COPYRIGHT
Copyright © 2007-2010 David Kubicek
Cntlm uses DES, MD4, MD5 and HMAC-MD5 routines from gnulib and Base64
routines from mutt(1).
cntlm 0.90 Nov 2010 CNTLM(1)
[top]
List of man pages available for DragonFly
Copyright (c) for man pages and the logo by the respective OS vendor.
For those who want to learn more, the polarhome community provides shell access and support.
[legal]
[privacy]
[GNU]
[policy]
[cookies]
[netiquette]
[sponsors]
[FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
|
Vote for polarhome
|