Tuesday, 1 April 2008

Open ssh connection through proxy with NTML authentication

Here is the explanation of how to pass a ssh connection through a proxy that use NTLM authentication protocol (cryptographic authentication) instead of a plain login/password authenication.

First follow the steps describes here :
http://blog.mansonthomas.com/2008/01/open-ssh-connection-through-http-proxy.html

Next we have to deal with NTLM authentication.

Putty do not know how to talk with proxy that use NTML authentication, so we need a soft that will handle the authentication and encapsulate the network packet.

To do that we'll use cntlm which is a port of an unix programms using cygwin (no need to make a insall of cygwin though...).

Once you unzip the files, edit the configuration file cntlm.ini

You have to change 4 values :

login: Your Windows login name
domain: Your domain name

You can get theses information by hitting CTRL+ALT+SUPPR, a window display and in the first fieldset you can see something like "Thomas Manson has opened a session as DOMAIN\LOGIN"

proxy url and port : See the previous post to see how to get this informations
ctnlm port : the local port on which CNTML will listen (Local that is : on your computer). The port shoud be above 1024 (as below, ports are reserved for specific use) and not used (use netstat -a > c:\netstat.log and check that the port you choosed is not in the file). Take for example 5865.



Example :

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#

Username __LOGIN__
Domain __DOMAIN__
#Password password # Use hashes instead (-H)
#Workstation netbios_hostname # Should be auto-guessed

Proxy __PROXY-URL__:__PROXY-PORT__
#Proxy 10.217.112.42:8080

#
# This is the port number where Cntlm will listen
#
Listen __CNTLM_PORT_NUMBER__
#Listen 5865

#
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option, SOCKS5. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy 8010
#SOCKS5User dave:password

#
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
Auth LM
#Flags 0x06820000

#
# Enable to allow access from other computers
#
#Gateway yes

#
# Useful in Gateway mode to allow/restrict certain IPs
#
#Allow 127.0.0.1
#Deny 0/0

#
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize 1024
#ISAScannerAgent Wget/
#ISAScannerAgent APT-HTTP/
#ISAScannerAgent Yum/

#
# Headers which should be replaced if present in the request
#
#Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Header User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

#
# Tunnels mapping local port to a machine behind the proxy
#
#Tunnel 11443:remote.com:443

Next we need configure putty to use the CNTLM program.

On connection->proxy settings.
On Proxy hostname field, type "localhost", on port field, type the port number you choose for cntlm (ex : 5865).

On username field : your windows login.
On password field : your windows password.

Save theses inputs in a session (so you don't have to type it each time).

Run cntml, open your connection with putty and you should be able to login on your login box.

Notice that each time your windows password changes, you have to change it in putty too.