search

versat / cntlm

Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. More info on http://cntlm.sourceforge.net/ website. This version also supports: SSPI (on Windows, NTLM authentication only), Kerberos authentication, IPv6, proxy PAC files.
GNU General Public License v2.0
127 stars 40 forks source link

New option NoAuth #81

Closed craff closed 1 year ago

craff commented 2 years ago

Some proxy like eole-amon used in french education do not answer authenticated request for site configure to not require authentication. This option allows to circumvent this bug.

sonarcloud[bot] commented 2 years ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 1 Security Hotspot
Code Smell A 2 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

fralken commented 2 years ago

Hello, can you explain better what your use case is? because cntlm should deal cases where authentication is not required, and also cntlm is not necessary when proxy doesn't require authentication. It looks like that your pr is working around a bug by adding a new configuration.

craff commented 2 years ago

Hello, Eole-amon is a proxy used in French education and it has a bug. You can register destination that do not require authentication. But if you use cntlm with eole-amon and send authentication for those exception, eole-amon never answers while cntlm expect a 407 error.

I have no way to fix Eole-amon where I work. Even if they fix the bug, it will take a few years before they update ...

So the best solution was this option which is just very few lines in forward.c, because all is available for that.

Probably the option should also be used when cntlm is the one that requires authentication. Then, there is a better use case: performing update without authentication, but still through the proxy.

Cheers, Christophe

Le 7 septembre 2022 02:42:25 GMT-10:00, Francesco MDE @.***> a écrit :

Hello, can you explain better what your use case is? because cntlm should deal cases where authentication is not required, and also cntlm is not necessary when proxy doesn't require authentication. It looks like that your pr is working around a bug by adding a new configuration.

-- Reply to this email directly or view it on GitHub: https://github.com/versat/cntlm/pull/81#issuecomment-1239339829 You are receiving this because you authored the thread.

Message ID: @.***>

versat commented 2 years ago

Sounds reasonable. Can you please also add the description of the new option to the help shown by cntlm itself (see main()). @fralken Do you see any risk / problem here? I think it is relatively safe and should be added.

fralken commented 2 years ago

Cntlm should manage non authenticated requests automatically, without specifying special cases. If in this case the remote proxy does not respond it probably means that it is still waiting for some data from the request. I had a similar situation in issue #77, where the remote server was waiting for request data.

If instead it is a bug of this eole-amon proxy, are you able to reproduce the behaviour with curl? Something similar to: curl -v --proxy-ntlm --proxy-user \<user:pwd> --proxy http://\<eole-amon proxy> \<destination url>

What I mean is that we must be sure that it is not a bug of cntlm, otherwise the reason of this new feature would be only to circumvent this bug.

fralken commented 1 year ago

Since this appears to be a workaround of a possible bug in cntlm in a very specific use case, let's close this pr.