Investigate NTLM proxy support

[n1hility]

Feature request description

Podman relies on Golang's http client sdk to implement proxy behavior. However, this does not support NTLM, in part because the SPI was not designed for the multiple request/reply in its challenge response model:

• https://github.com/golang/go/issues/20053

We should look at adding special handling, perhaps through the Azure go-ntlmssp project.

[rhatdan]

@Luap99 @baude @mheon WDYT?

[Luap99]

I have no idea what NTLM is or what is it does nor why we would need to implement a proxy for it. If this is needed to support windows proxies then sure but in general I am against adding more untested code and proxy support in general seems to be totally untested in podman so I am hesitant to call stuff like that actually supported (I guess we just hope the the go std library handles it correctly).

[n1hility]

NTLM is a digest-like authentication mechanism that uses a challenge response protocol such that a password is not transmitted in the clear. It's used by various Windows services to authenticate users transparently with their Desktop/Domain logon being acting as an SSO. NTLM over HTTP added the ability for web sessions, and later proxied http requests to authenticate without a browser popup, reusing the credentials of their Windows logon in a similar manner to file shares. Although it is a dated technology, as Windows has moved on to Kerberos/SPNEGO (reusing NTLM hashes) for underlying auth. However, due to its long legacy and support in various software packages it's still in common usage in IT sites. In the case of the linked desktop issue, the user had a policy that disallows http basic auth (also common), so they have to rely on a custom intermediate local proxy, using solutions like cntlm.

Since podman wouldn't be running on Windows, we wouldn't be supporting in an SSO-like fashion, but rather as just a replacement for http basic. Since supporting this requires augmenting the transport underneath http.Client, I was planning to explore a common facility for obtaining http client instances, which can then have some sort of enable_ntlm config option (default off). When off it would be identical code path as today, but on it would introduce handlers which understand how to auth with basic+ntlm. In the future Kerberos could be potentially supported as well.

For testing I picture a container running squid and samba to simulate an NTLM proxy. That same container could be reused for testing basic auth + go/std usage as well. It could either verify the squid log output to verify traffic came from the proxy as expected, or we could get more elaborate and drop all image pull traffic that doesn't come from a separate NAT source IP we dedicate for the squid container.