9

I must be missing something... I could swear I've done this before but I've torched the VM's that I was using previously.

How do you get apt-get to authenticate through a proxy that only supports NTLM? Do I need to change my proxy config to also support other authentication mechanisms?

Ubuntu 10.04.

squillman
  • 37,618
  • 10
  • 90
  • 145

3 Answers3

11

A better alternative is to install CNTLM, which is an NTLM proxy that presents itself as an ordinary web proxy.

It's quite easy to install from .deb (trivial dependencies adduser and libc6 which should be on every system ever) and configure. Once you have it installed, you just tell apt-get to use proxy localhost:3128.

This solution has two advantages:

  1. it works for all programs using HTTP/HTTPS/FTP, including apt-get, web browsers, and SSH sessions tunneled over HTTPS (good for escaping the firewall if you need to.)

  2. your password is stored in cntlm.conf as a hash instead of in plain text.

CNTLM works on Windows as well. Very neat.

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
Li-aung Yip
  • 413
  • 1
  • 4
  • 9
6

in /etc/apt/apt.conf, add the line:

Acquire::http::Proxy "http://MYDOMAIN\MYNAME:MYPASS@MY.PROXY.COM:MYPORT";

the semicolon is required at the end of the line to add

Grizly
  • 2,053
  • 15
  • 20
  • Just checked my servers, and yes, it uses the semicolon. Well spotted sir! – Grizly Mar 06 '13 at 06:00
  • 1
    Still, Wireshark is able to decipher Basic Authentication and thus revealing the password as shown above: "http://MYDOMAIN\MYNAME:MYPASS@MY.PROXY.COM:MYPORT" In other word, weak Basic HTTP is still revealing passwords. – John Greene Apr 27 '16 at 15:34
  • 1
    I really would have thought that was obvious mate. – Grizly May 12 '16 at 04:15
  • You'd be amazed how many companies are still using Basic HTTP. – John Greene May 12 '16 at 18:23
1

See Setting up apt-get to use a http-proxy (on https://help.ubuntu.com/community/AptGet/).

Daryl Spitzer
  • 2,946
  • 9
  • 33
  • 40