UCT’s Campusnet proxies (running ISA) require NTLM Authentication, so that they can count usage against the right students’ quotas. NTLM Authentication is relatively non-standard, and rarely implemented in clients.
There are a few Linux applications which can connect to NTLM proxies directly, but most applications cannot. The solution is to use an “NTLM Proxy” which listens for requests from programs on your machine, and forwards them to the UCT servers with NTLM authentication done automatically. CNTLM is the preferred proxy.
OSX Users can use Authoxy for this. Setting it up isn’t described on this page, but you should be able to work it out from these instructions.
Cntlm is a proxy which performs the NTLM authentication for you, and passes on the requests to proxynet, correctly authorised. It is the new implemented-in-C replacement for ntlmaps (described below). It is available as “cntlm” in Debian and Ubuntu.
Install the package
$ sudo apt-get install cntlm
Obtain the password hash of your domain password (you can put your raw password in your configuration file instead, but this is a little more secure). Your domain may be wf.uct.ac.za or WF — check which one works for you:
$ /usr/sbin/cntlm -u *YOUR_STUDENT_NUMBER* -d *YOUR_DOMAIN* -f -H
Copy the PassLM, PassNT and PassNTLMv2 lines from the output of that command (tip: use Shift-Control-C to copy selected text from a terminal)
Edit the cntlm configuration file ‘/etc/cntlm.conf’
$ sudo nano /etc/cntlm.conf
Paste the PassLM, PassNT and PassNTLMv2 lines command into the configuration file (tip: use Shift-Control-V to paste into a terminal), and edit it so that it looks like this:
Username *YOUR_STUDENT_NUMBER* Domain *YOUR_DOMAIN* #Password password PassLM *LONG_RANDOM_PASSWORD_HASH* PassNT *LONG_RANDOM_PASSWORD_HASH* PassNTLMv2 *LONG_RANDOM_PASSWORD_HASH* # Only for user 'YOUR_STUDENT_NUMBER', domain 'YOUR_DOMAIN' #Proxy 10.0.0.41:8080 #Proxy 10.0.0.42:8080 Proxy proxynet.uct.ac.za:8080 NoProxy localhost, 127.0.0.*, 10.*, 192.168.*, 137.158.* Listen 3128
Save the configuration file and exit the editor, now test it:
$ sudo cntlm -M http://google.com/
Enter your domain password and you should see something like this:
Config profile 1/4... OK (HTTP code: 301) ----------------------------[ Profile 0 ]------ Auth NTLMv2 PassNTLMv2 *LONG_RANDOM_PASSWORD_HASH* ------------------------------------------------
If you see a screenful of errors, something is wrong, check your config (and see the debugging help below below).
Restart cntlm to apply the new configuration:
$ sudo service cntlm restart
CNTLM is quite fussy, it needs the hostname of your machine to match the hostname the proxy sees. You can get around this by telling it what hostname the proxy is expecting with the
Workstation option in
cntlm.conf. You can see the hostname the outside world sees, by running
host 18.104.22.168 or
dig -x 22.214.171.124 where 126.96.36.199 is your IP address.
Try putting the config snippet that the
-M test gives you in your configuration file.
Now that cntlm is configured and running, we need to tell our applications to use it (alternatively, you can use the transparent setup described below; then programs won’t need to be told about the proxy). Open the Network applet in System Settings, or simply click on the Home button and start typing ‘network’.
Change the method to ‘Manual’ and configure network proxy settings for HTTP, HTTPS and FTP (not Socks) to 127.0.0.1 port 3128.
Click on the ‘Apply system wide’ button. If you take your computer off campus, change the method to ‘None’ and click ‘Apply system wide’. When you return to campus, change the method back to “Manual’ and click ‘Apply system wide’, you don’t have to configure the proxy settings every time.
Go to Firefox’s connection settings and select ‘Use system proxy settings’. Google Chrome uses the system proxy settings by default.
There appears to be a bug in recent versions of Firefox which prevents the browser from detecting the system proxy settings correctly. If you think that you are affected, try entering the proxy settings into Firefox manually. This does mean that you will have to change them in an additional place whenever you leave campus or come back.
If you want command-line applications like wget or pip to use the proxy, you need to set some environment variables in your shell. These instructions assume that you are using bash (which is the default on Ubuntu); you should be able to adapt them to other shells.
Add these lines to your .bashrc file (replace 3128 with whatever port your proxy listens on):
export http_proxy=http://localhost:3128 export ftp_proxy=http://localhost:3128 export https_proxy=http://localhost:3128
You can also use the no_proxy environment variable to specify some domains for which you don’t want to use a proxy.
Note that editing this file will not affect your currently running shells — either close your terminals and re-open them, or set the variables manually in those terminals (by pasting in the lines above). You can test whether a terminal has the variables set like this:
If this prints the proxy value, you’re good to go. If you get a blank line, something is wrong. You should be able to download a test file using wget:
Now you have set up the environment variables for your user, but there is one more thing that you have to do so that you can use the proxy while using sudo — for example, if you need to install things from the internet through the proxy (Warning: installing everything through the proxy can eat through your quota fast — read the section about apt below for more information).
By default, when you use sudo none of your environment variables are preserved. You need to edit your sudoers file to make an exception for the proxy variables. You should never edit the sudoers file except by using the visudo command, which makes the process more secure:
You should see a line in your file which says:
Just above this line, add the following line:
Defaults env_keep = "http_proxy ftp_proxy https_proxy no_proxy"
Save the file. You should now be able to download a test file using wget through sudo:
sudo wget www.google.com
Please note that the campus proxies silently fail when attempting HTTPS over any port other than 443. For now, you can remove the HTTPS proxy settings and use HTTPS without going through the proxies.
You can configure Konqueror and Firefox to work with Campusnet directly by manually setting the Autoconfiguration file to http://www.uct.ac.za/cache.pac. This means that you have to change your proxy settings whenever you arrive on campus. This is a massive bind to do, but with the help of a Firefox add-on, you can make it slightly less painful.
Windows users are required to make a configuration change in Firefox, for NTLM authentication to work correctly. Linux users needn’t do this.
The only non-browser program known to work with NTLM Authentication is curl, which can be used as a wget substitute.
NTLMAPS is older than cntlm (described above) is more reliable, but slower and doesn’t support newer password hash formats that UCT now uses. (It’s packaged under that name for Debian/Ubuntu/most other distros).
LEG provides mirrors for a lot of Linux distributions. This means that you can install most packages (except those from non-standard repositories which are not mirrored, e.g. Ubuntu PPAs) from the UCT intranet, without using a proxy. If you find yourself needing to forward apt through campusnet to access the LEG mirrors, then something is wrong — contact the LEG admins or ICTS.
Warning: if you have a quota, you don’t want apt (or whatever package manager you use) to go through campusnet, as it’ll rack up quota usage very quickly. Make sure that you aren’t using ntlmaps/cntlm when you download packages.
If you don’t have a quota, you may find it useful to configure apt to go through the proxy so that you can use unmirrored repositories like PPAs. If you use apt on the command line you will need to set up the environment variables as described above. Whether you use a command-line tool or a GUI tool like Synaptic, you will also need to edit the /etc/apt/apt.conf file and add these lines (replace 3128 with whatever port your proxy listens on):
Acquire::http::proxy "http://localhost:3128/"; Acquire::ftp::proxy "http://localhost:3128/"; Acquire::https::proxy "https://localhost:3128/";
If you have a quota but you want to use PPAs, you can try using the no_proxy environment variable or the NoProxy setting in cntlm.conf to exclude the LEG mirrors. Make sure that your package manager is set up to use these mirrors!
The “transparent” proxy will pick up all outgoing port 80 traffic, and proxy it. Thus you shouldn’t need to configure any applications, they should just work as soon as you start the proxy.
We’ll use tinyproxy as our transparent proxy, and it’ll pass the requests to ntlmaps/cntlm. On Ubuntu tinyproxy is compiled with transparent support by default, but not so on debian. Debianites might have to recompile it…
# aptitude install tinyproxy
We use an
/etc/default/tinyproxy script to insert the necessary iptables rules to intercept the traffic. Note that we only intercept off-campus traffic:
case "$1" in start) iptables -t nat -A OUTPUT -d 188.8.131.52/16 -j RETURN iptables -t nat -A OUTPUT -d 184.108.40.206/18 -j RETURN iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888 ;; stop) iptables -t nat -F OUTPUT ;; restart) start-stop-daemon --stop --quiet -t --exec $DAEMON > /dev/null || exit 0 iptables -t nat -F OUTPUT iptables -t nat -A OUTPUT -d 220.127.116.11/16 -j RETURN iptables -t nat -A OUTPUT -d 18.104.22.168/18 -j RETURN iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888 ;; esac
We make sure that it doesn’t start by default (unless this is a UCT-bound PC):
# update-rc.d -f tinyproxy remove # update-rc.d tinyproxy stop 20 0 1 2 3 4 5 6 .
Configure it, here are the important settings for
Port 8888 Listen 127.0.0.1 Upstream localhost:8080 ViaProxyName "tinyproxy"
And finally, start it (the
--force is necessary because we disabled it from automatically starting):
# invoke-rc.d tinyproxy stop # invoke-rc.d --force tinyproxy start