Ygtjki

What day is it again?

Can someone explain this formula for calculating Manhattan distance?

what's the use of '% to gdp' type of variables?

Is there such a thing as a proper verb, like a proper noun?

How to get the last not-null value in an ordered column of a huge table?

Defamation due to breach of confidentiality

What connection does MS Office have to Netscape Navigator?

From jafe to El-Guest

Help understanding this unsettling image of Titan, Epimetheus, and Saturn's rings?

How to use ReplaceAll on an expression that contains a rule

Is there a reasonable and studied concept of reduction between regular languages?

How to avoid supervisors with prejudiced views?

Why don't programming languages automatically manage the synchronous/asynchronous problem?

Help/tips for a first time writer?

Do I need to write [sic] when including a quotation with a number less than 10 that isn't written out?

Is there a difference between "Fahrstuhl" and "Aufzug"?

What flight has the highest ratio of timezone difference to flight time?

Can you teleport closer to a creature you are Frightened of?

Towers in the ocean; How deep can they be built?

Is there a way to save my career from absolute disaster?

Why the last AS PATH item always is `I` or `?`?

If Nick Fury and Coulson already knew about aliens (Kree and Skrull) why did they wait until Thor's appearance to start making weapons?

Redefining symbol midway through a document

Is "three point ish" an acceptable use of ish?

How to use authentication with negiotiation (e.g. Kerberos) to HTTP proxy?

1

1

Generally accepted is the use of HTTP_PROXY/HTTPS_PROXY environment variables to specify the use of a proxy server. Authentication can be included in this URL, e.g. HTTP_PROXY=http://user:pass@myproxy.mydomain.tld:3128/.

However, I am using Kerberos SSO to authenticate with the proxy. How do I configure that? So, suppose a Squid proxy server configuration as described here: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos. It describes how Windows clients can use proxy authentication with negotiation, but there's no information how I can configure Linux/Unix clients.

For cURL, the use of --proxy-negotiate -u : does the trick, e.g.:

HTTPS_PROXY=http://myproxy.mydomain.tld:3128/ curl --proxy-negotiate -u : https://www.google.com

How do I tell non-cURL applications to use this mechanism? E.g. Debian/Ubuntu APT with Acquire::http::Proxy "http://myproxy.mydomain.tld:3128/";?

I found cntlm which acts as another locally running proxy in the middle, facilitating unauthenticated connections from localhost. However, this only works with NTLM, where I need Kerberos. Would Squid be able to connect as a client using Kerberos perhaps? It seems notoriously hard to find authentication capabilities on the outgoing connection of proxy servers. All seem to focus on authentication features on the listening socket instead.

proxy http squid kerberos http-proxy

share|improve this question

edited 2 days ago

gertvdijk

asked Dec 22 '17 at 12:43

gertvdijkgertvdijk

7,51253045

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I use cntlm at work but not with kerberos so even I wouldn't be able to test it but a short googling led me to this: sourceforge.net/p/cntlm/feature-requests/_discuss/thread/…. Can you try it?
  
  – Arkadiusz Drabczyk
  Dec 25 '17 at 20:42
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I applied this patch to cntlm 0.92.3, you can get the source code here drabczyk.org/cntlm-with-kerberos.tar.gz. You need to do ./configure --enable-kerberos.
  
  – Arkadiusz Drabczyk
  Dec 25 '17 at 21:05
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Looking at the code you now need to pass gss to -a. Here on the bottom on the page github.com/metaphox/cntlm-gss some shows an example configuration.
  
  – Arkadiusz Drabczyk
  Dec 25 '17 at 21:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The thing with kerberos authentication is that you need a kerberos-aware version of each application you want to use through Kerberos. In addition to that, in case of http proxies you also need the http client to be capable of handshaking the kerberos authentication to the proxy-http server using the http Negotiate protocol. Something that curl knows how to do, but I’m afraid apt doesn’t. AFAIK, apt only supports either plaintext http-auth or socks5
  
  – LL3
  2 days ago
  

  
  
  
  

add a comment | 

1

1

Generally accepted is the use of HTTP_PROXY/HTTPS_PROXY environment variables to specify the use of a proxy server. Authentication can be included in this URL, e.g. HTTP_PROXY=http://user:pass@myproxy.mydomain.tld:3128/.

However, I am using Kerberos SSO to authenticate with the proxy. How do I configure that? So, suppose a Squid proxy server configuration as described here: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos. It describes how Windows clients can use proxy authentication with negotiation, but there's no information how I can configure Linux/Unix clients.

For cURL, the use of --proxy-negotiate -u : does the trick, e.g.:

HTTPS_PROXY=http://myproxy.mydomain.tld:3128/ curl --proxy-negotiate -u : https://www.google.com

How do I tell non-cURL applications to use this mechanism? E.g. Debian/Ubuntu APT with Acquire::http::Proxy "http://myproxy.mydomain.tld:3128/";?

I found cntlm which acts as another locally running proxy in the middle, facilitating unauthenticated connections from localhost. However, this only works with NTLM, where I need Kerberos. Would Squid be able to connect as a client using Kerberos perhaps? It seems notoriously hard to find authentication capabilities on the outgoing connection of proxy servers. All seem to focus on authentication features on the listening socket instead.

proxy http squid kerberos http-proxy

share|improve this question

edited 2 days ago

gertvdijk

asked Dec 22 '17 at 12:43

gertvdijkgertvdijk

7,51253045

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I use cntlm at work but not with kerberos so even I wouldn't be able to test it but a short googling led me to this: sourceforge.net/p/cntlm/feature-requests/_discuss/thread/…. Can you try it?
  
  – Arkadiusz Drabczyk
  Dec 25 '17 at 20:42
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I applied this patch to cntlm 0.92.3, you can get the source code here drabczyk.org/cntlm-with-kerberos.tar.gz. You need to do ./configure --enable-kerberos.
  
  – Arkadiusz Drabczyk
  Dec 25 '17 at 21:05
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Looking at the code you now need to pass gss to -a. Here on the bottom on the page github.com/metaphox/cntlm-gss some shows an example configuration.
  
  – Arkadiusz Drabczyk
  Dec 25 '17 at 21:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The thing with kerberos authentication is that you need a kerberos-aware version of each application you want to use through Kerberos. In addition to that, in case of http proxies you also need the http client to be capable of handshaking the kerberos authentication to the proxy-http server using the http Negotiate protocol. Something that curl knows how to do, but I’m afraid apt doesn’t. AFAIK, apt only supports either plaintext http-auth or socks5
  
  – LL3
  2 days ago
  

  
  
  
  

add a comment | 

Generally accepted is the use of HTTP_PROXY/HTTPS_PROXY environment variables to specify the use of a proxy server. Authentication can be included in this URL, e.g. HTTP_PROXY=http://user:pass@myproxy.mydomain.tld:3128/.

However, I am using Kerberos SSO to authenticate with the proxy. How do I configure that? So, suppose a Squid proxy server configuration as described here: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos. It describes how Windows clients can use proxy authentication with negotiation, but there's no information how I can configure Linux/Unix clients.

For cURL, the use of --proxy-negotiate -u : does the trick, e.g.:

HTTPS_PROXY=http://myproxy.mydomain.tld:3128/ curl --proxy-negotiate -u : https://www.google.com

How do I tell non-cURL applications to use this mechanism? E.g. Debian/Ubuntu APT with Acquire::http::Proxy "http://myproxy.mydomain.tld:3128/";?

I found cntlm which acts as another locally running proxy in the middle, facilitating unauthenticated connections from localhost. However, this only works with NTLM, where I need Kerberos. Would Squid be able to connect as a client using Kerberos perhaps? It seems notoriously hard to find authentication capabilities on the outgoing connection of proxy servers. All seem to focus on authentication features on the listening socket instead.

proxy http squid kerberos http-proxy

share|improve this question

edited 2 days ago

gertvdijk

asked Dec 22 '17 at 12:43

gertvdijkgertvdijk

7,51253045

HTTPS_PROXY=http://myproxy.mydomain.tld:3128/ curl --proxy-negotiate -u : https://www.google.com

share|improve this question

edited 2 days ago

gertvdijk

asked Dec 22 '17 at 12:43

gertvdijkgertvdijk

7,51253045

share|improve this question

edited 2 days ago

gertvdijk

asked Dec 22 '17 at 12:43

gertvdijkgertvdijk

7,51253045

asked Dec 22 '17 at 12:43

gertvdijkgertvdijk

7,51253045

asked Dec 22 '17 at 12:43

gertvdijkgertvdijk

7,51253045