Feature Request: HTTP proxy authentication

David Woodhouse dwmw2 at infradead.org
Wed Jun 18 14:58:35 PDT 2014

On Wed, 2014-06-18 at 18:14 +0100, David Woodhouse wrote:
> On Wed, 2014-06-18 at 10:44 +0100, David Woodhouse wrote:
> > I don't have access to a proxy requiring authentication. I could perhaps
> > set up squid to require basic auth, but NTLM and Kerberos are harder. If
> > I could have access to a proxy that requires such, then I might be more
> > inclined to implement this myself...
> It turns out to be relatively simple to set up a copy of squid to do
> Basic, NTLM and Negotiate auth against Active Directory, so I've done
> so.
> I've pushed some initial changes which make Basic auth work, and I may
> take a look at NTLM and Kerberos/GSSAPI if nobody beats me to it. Once
> it's working, I may take another look at the structure of it.

With what I pushed a few minutes ago NTLM now also works, although
*only* the single-sign-on version using Samba's /usr/bin/ntlm_auth
helper tool and winbind.

Manual NTLM authentication where you actually give it the username and
password isn't implemented — that's left as an exercise for the reader
(hint: there's a LGPLv2-compatible implementation to copy from in
https://git.gnome.org/browse/evolution-data-server/tree/camel/camel-sasl-ntlm.c which even supports NTLMv2. Around line 873 is the interesting part).

I'm more likely to do GSSAPI next, rather than the boring gruntwork of
porting that code over. But definitely not today. Do feel free to help
out :)

Reviewing the other code I've hastily thrown together may also prove

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140618/356645f0/attachment.bin>

More information about the openconnect-devel mailing list