Tuesday, 1 April 2008

Open ssh connection through proxy with NTML authentication

Here is the explanation of how to pass a ssh connection through a proxy that use NTLM authentication protocol (cryptographic authentication) instead of a plain login/password authenication.

First follow the steps describes here :

Next we have to deal with NTLM authentication.

Putty do not know how to talk with proxy that use NTML authentication, so we need a soft that will handle the authentication and encapsulate the network packet.

To do that we'll use cntlm which is a port of an unix programms using cygwin (no need to make a insall of cygwin though...).

Once you unzip the files, edit the configuration file cntlm.ini

You have to change 4 values :

login: Your Windows login name
domain: Your domain name

You can get theses information by hitting CTRL+ALT+SUPPR, a window display and in the first fieldset you can see something like "Thomas Manson has opened a session as DOMAIN\LOGIN"

proxy url and port : See the previous post to see how to get this informations
ctnlm port : the local port on which CNTML will listen (Local that is : on your computer). The port shoud be above 1024 (as below, ports are reserved for specific use) and not used (use netstat -a > c:\netstat.log and check that the port you choosed is not in the file). Take for example 5865.

Example :

# Cntlm Authentication Proxy Configuration
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.

Username __LOGIN__
Domain __DOMAIN__
#Password password # Use hashes instead (-H)
#Workstation netbios_hostname # Should be auto-guessed


# This is the port number where Cntlm will listen
#Listen 5865

# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option, SOCKS5. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#SOCKS5Proxy 8010
#SOCKS5User dave:password

# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
Auth LM
#Flags 0x06820000

# Enable to allow access from other computers
#Gateway yes

# Useful in Gateway mode to allow/restrict certain IPs
#Deny 0/0

# GFI WebMonitor-handling plugin parameters, disabled by default
#ISAScannerSize 1024
#ISAScannerAgent Wget/
#ISAScannerAgent APT-HTTP/
#ISAScannerAgent Yum/

# Headers which should be replaced if present in the request
#Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Header User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

# Tunnels mapping local port to a machine behind the proxy
#Tunnel 11443:remote.com:443

Next we need configure putty to use the CNTLM program.

On connection->proxy settings.
On Proxy hostname field, type "localhost", on port field, type the port number you choose for cntlm (ex : 5865).

On username field : your windows login.
On password field : your windows password.

Save theses inputs in a session (so you don't have to type it each time).

Run cntml, open your connection with putty and you should be able to login on your login box.

Notice that each time your windows password changes, you have to change it in putty too.


ManagementBoy said...

nice, thanks.

xenon said...

Works great, but my ssh connection drops every 15 minutes.
Set 'ClientAliveInterval 30' in my sshd_config and also set the "TCP keepalives" option in putty.
Didn't change anything.

Any ideas?

Manson Thomas said...

Did you check my first post about ssh tunnel through an http proxy :


On the connection tab


set a keep interval greater than 0, also check tcp keep alive.

Finally you can run the following command :

watch 'df -h'

this command will generate some traffic on your ssh connection which can prevent the ssh connection to fall.

after you set a tunnel on the 22 port to open another ssh connection (that will last thanks to the first connection).

But keepalive should solve the problem.

nachanga said...

Awesome solution! Works like a charm! :)
Thank you so much. I was able to escape from my company's ISA firewall throught an HTTPTUNNEL (ssh tunnel encapsulated in http requests), but this soulution directly connects to my ssh server (COPSSH). Thank you!

Russ said...

This is perfect, thanks! Some cool features, the "setup.bat" in the windows installer adds cntlm as a windows service - very nice.

Also, if you don't want a clear text password in your config. Remove password from cntlm.ini, run from the command line: "cntlm.exe -u <username> -H". Enter your password, and you get PassLM, PassNT, PassNTLMv2 settings you can paste into cntlm.ini.

fassage said...

Just cant get it to work ! I followed the recipe to the letter and i run cntlm correctly (i think) since it says the service started with no errors.

I then start putty and it says "Putty Fatal Error" & "Network Connection: Connection Refused".

Ive been at this for 3days solid - your help would be most welcome.

Manson Thomas said...

@fassage : Did you configure the correct port on the proxy config in putty ? (try a telnet on this port to see if it connects)

Also, on which port on your server are you trying to connect to ?

Is it 443 ? if you directly try to reach the port 22 it will fail as the proxy of your company won't allow traffic on this port.

Did you try to reach the port 443 from another location to ensure it's correctly redirected to port 22, or that a ssh server is listening?

Fabio said...

Thanks so much, you just made work much much much more pleasant ;-)

ChriDDel said...

the service don't start at Vista.

c:\Program Files\Cntlm>net start "Cntlm Authentication Proxy"
The Cntlm Authentication Proxy service is starting.
The Cntlm Authentication Proxy service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

Manson Thomas said...

@ChriDDel : did you try to run CNTLM as a standalone program before using it as a service ?

Denis ePosta said...

Hi there,
in my office we use a card in order to login to windows.
Do you think will work the CNTLM auth please ?

Manson Thomas said...

It was my case as well, I used a card with a chip on it to login.

But NTLM version might have change from 1.x to 2.x, not sure if this article will still work.
probably have to move to a new version of CNTML, for the ssh part, it should work the same.

Denis ePosta said...

Thanks Thomas
...but what I must put in the field user and password in the ini file ?
Thanks again

Manson Thomas said...

Well, no user/password in the ini file.

You have to put in putty instead, as described in this blog post.

Putty will connect to CNTLM, that will open the connection to NTLM with the user/password provided in putty.

Denis ePosta said...

Is this the problem ... I have no more user and password for the internet connection
Now we use a Smart Card log in (for the windows) and we have no password for internet.
I think CNTLM want some user/pass information ... do you know if is mandatory?
Thanks again

Manson Thomas said...

It's your active directory password that it's required. (your login would be the parent folder name of your "Documents & Settings" directory.
If you never ever enter any username/password, then you're doomed ;)

Paolo Mare said...


I created on my NAS a virtual machine with ubuntu.
I installed openssh on this VM and changed the default listening port from 22 to 443
Then, I opened and forwarded from my D7000 netgear router the port 443 to the VM Ip address

I checked the server now is listening.

now the client side, that it is inside a domain, so I installed the CNTLM and set it.

From putty, I used the port 443 ssh to connect to my external IP of NAS; then I set the 3128 as port and

I am able from putty to establish a connection to my ubuntu VM ssh server.

Now, what I need to do is to can execute a program in my pc domain client and can pass through the tunnel for don't have refused/blocked connection.

this software need to connect to a specific tcp address and port tcp://xxx.yyyyyy.com:4444 or tcp://xxx.yyyyyy.com:443 or tcp://xxx.yyyyyy.com:6666

if the program can't connect to these address, It doesn't work..

There is a way or method to can let pass throgh the tunnel the traffic of this specific program? In my ignorance I would call it "program ssh tunneling"

Thank you very very much for your kind help.

Manson Thomas said...

What you need is ssh tunnels setup in putty:
(Last paragraphs)