How to install CNTLM on Linux

Discover how to install CNTLM on Linux for seamless proxy authentication. Step-by-step instructions to configure and optimize your proxy setup. #centlinux #linux

Problem Statement:

This article is for the system administrators, who install Linux servers with minimal option and then install the required packages from yum repository. But if your network uses a Proxy Server to access the Internet, things get change. yum unable to see thru the proxy, and can not be used. CNTLM (Fast NTLM Authentication Proxy in C) is a local proxy server, that can be used with many Linux utilities like yum, wget, etc.

In this article, we will install CNTLM on Linux, to enable the yum to see thru Network Proxy Server.

Introduction:

In today’s enterprise and restrictive network environments, accessing the internet often requires navigating through proxy servers. Many organizations use NTLM (NT LAN Manager) authentication proxies to control user access. If you are running CentOS 6 and need to work behind such a proxy, directly configuring your applications to authenticate with NTLM proxies can be a challenge. This is where CNTLM comes into play. CNTLM is an open-source NTLM/NTLMv2 authenticating HTTP proxy which makes it easier to use NTLM proxies from Linux, especially on legacy systems like CentOS 6.

What is CNTLM?

CNTLM stands for “CNTLM Lightweight NTLM Authentication Proxy.” It is a local proxy server designed to authenticate using NTLM or NTLMv2 on behalf of the user, simplifying network access in environments protected by Microsoft-style proxy authentication. Most proxy servers that use NTLM authentication are tightly integrated with Windows environments. Linux systems, which do not natively support NTLM authentication, face difficulties connecting through these proxies.

By acting as a local proxy, CNTLM intermediates between your Linux applications and the remote NTLM proxy. Your applications connect to CNTLM as if it were a proxy server without any NTLM complexity, and CNTLM handles the NTLM handshake with the upstream proxy. CNTLM caches credentials and handles re-authentication seamlessly, enabling smooth internet connectivity for Linux machines.

Why Use CNTLM on Linux?

CentOS 6, though a stable and widely-used Linux distribution, is an older version with limited native support for modern authentication protocols like NTLM. Many corporate networks still rely on NTLM proxies for security, making it difficult for CentOS 6 users to access external HTTP/HTTPS resources without configuring heavy workarounds.

CNTLM is lightweight and designed to work well on legacy Linux systems like CentOS 6. It requires minimal dependencies, installs easily from source or repositories, and significantly reduces the hassle of dealing with NTLM-protected proxies. With CNTLM, administrators and users get:

• Seamless proxy authentication: No need to manually configure individual apps for NTLM.
• Credential caching: Reduces repeated login prompts and authentication overhead.
• Improved compatibility: Works reliably even on older systems with limited NTLM support.
• Simplified configuration: Single local proxy setup rather than multiple app configurations.

Key Features of CNTLM:

• NTLM/NTLMv2 Authentication: Full support for both NTLM versions used by Microsoft proxies.
• Local Proxy: Runs on localhost, listening on configurable ports, allowing apps to use it as a standard proxy.
• Password Hashing: Supports storing hashed credentials instead of plaintext passwords, enhancing security.
• Cross-Platform: Although popular on Linux, CNTLM runs on various Unix-like systems and Windows.
• Lightweight and Efficient: Minimal resource consumption, ideal for older hardware and lightweight virtual machines.
• Flexible Configuration: Supports multiple upstream proxies and chaining with SOCKS or HTTPS proxies.
• Logging and Debugging: Provides detailed logging to troubleshoot authentication and connection issues.

How CNTLM Works Under the Hood:

When you start the CNTLM service on your CentOS 6 machine, it acts like a proxy server that listens, by default, on localhost port 3128. Applications configured to use this proxy send their HTTP/HTTPS requests to CNTLM, which then initiates an NTLM handshake with the actual corporate proxy requiring authentication.

CNTLM performs the handshake using your stored credentials, which can be saved as hashed values for security. Once authenticated, CNTLM forwards the request and caches the authorization token so subsequent requests avoid repeating the full handshake, improving performance.

This mechanism effectively abstracts the complexity of NTLM authentication from client applications, which only need to know the local CNTLM proxy address.

Use Cases for CNTLM on Linux:

• Developers behind corporate proxies who need access to update repositories, download packages, or access external APIs from CentOS 6 servers.
• System administrators managing legacy CentOS 6 servers that require secure internet connectivity via NTLM proxies.
• Automated scripts and cron jobs running on CentOS 6 that require internet access through authenticated proxies.
• Web browsers and other GUI apps configured to use CNTLM for streamlined proxy authentication.
• CI/CD pipelines or development tools requiring transparent proxy authentication without complex configuration.

System Specification:

We are considering that the reader may already know how to configure a yum repository. Please read our previous post Local Yum Repository in CentOS 6.5 to get an understanding of yum repository configuration.

Install CNTLM on Linux:

From your linux box, when you try to run it will give you a connectivity error.

yum repolist

Download package cntlm-0.92.3-1.x86_64.rpm from https://sourceforge.net/projects/cntlm/files/cntlm/

Copy the downloaded rpm to the linux server and install it.

Once the CNTLM is installed, configure it according to your need.

vi /etc/cntlm.conf

Update username, domain, password and proxy address.

mkdir /var/run/cntlm
chown cntlm:cntlm /var/run/cntlm/
service cntlmd start
service cntlmd status

Configure yum to use CNTLM.

vi /etc/yum.conf

and add following directive.

proxy=http://127.0.0.1:3128/

Now, try perform some action with yum command to check whether it can access the repository via CNTLM.

yum repolist

Now our yum server using a route to public yum repositories, through CNTLM local proxy server.

Conclusion:

In conclusion, installing CNTLM on Linux is a straightforward process that can significantly simplify proxy authentication, especially in environments with strict access controls. By following the outlined steps, you can configure and optimize CNTLM to meet your specific needs, ensuring secure and efficient internet access. Whether for personal use or in enterprise settings, CNTLM proves to be a valuable tool for managing proxy authentication seamlessly.

Optimize your cloud infrastructure and secure your servers with my AWS and Linux administration services. Let’s ensure your systems run smoothly. Connect with me now! if you need any guidance or advice related to your Linux VPS.

Read Also: How to install Squid Proxy on CentOS 7

FAQs:

1. What is the main purpose of CNTLM?
CNTLM serves as a local proxy that authenticates NTLM and NTLMv2 proxy requests on behalf of Linux clients. It makes it easier for applications on Linux systems, like CentOS 6, to access NTLM-protected corporate proxies without needing native NTLM support.

2. Is CNTLM secure to use, especially regarding password storage?
Yes, CNTLM allows storing passwords as NTLM password hashes instead of plaintext. While this improves security, it is always recommended to secure the CNTLM configuration file and restrict access permissions, as the hashes still provide proxy access.

3. Can CNTLM handle multiple upstream proxies?
Yes, CNTLM supports chaining multiple upstream proxies, allowing users to configure fallback proxies or proxy servers for different network segments.

4. How do I configure applications to use CNTLM?
You configure your Linux applications or environment to use a proxy at http://localhost:3128 (default). This means setting environment variables like http_proxy and https_proxy or modifying app-specific proxy settings to point to CNTLM.

5. Does CNTLM support HTTPS proxying?
CNTLM supports proxying HTTPS connections using the CONNECT method, but it requires clients and CNTLM to be correctly configured. It acts as a tunnel for encrypted traffic while handling NTLM authentication with the upstream proxy.