[clug] NTLM proxy authentication - it's working, it's not

Paul Wayper paulway at mabula.net
Tue Jul 1 00:50:57 GMT 2008

Hi all,

I've just started work at a new company and their Squid
proxy is set up to do NTLM authentication.  Now, it would
seem that Firefox does this correctly.  wget claims to do
NTLM authentication but despite the various combination of
options I've tried I cannot get it to actually work - that
eternally useful program Wireshark tells me that WGet is
giving up before doing the first stage of the
authentication.  Of course, Yum and other programs that use
their own libraries that never bothered to write in NTLM are
equally broken.  Don't you love non-reuse of code?

I found one project that claimed to offer salvation:
http://ntlmaps.sourceforge.net/ is a Python program written
to be a local proxy for all your regular programs (at least
the ones that obey the $http_proxy environment variable -
did I mention code non-reuse?) that does the NTLM
authentication itself.  Or, at least, it might have done in
2006, when the web page was last updated; it doesn't work on
this system now.  I can see from Wireshark that it is doing
the full three-stage process that NTLM authentication
requires.  However, it seems to be delivering quite
different things from Firefox in the authentication headers.
 The username and domain is incorrectly formatted and
unnecessarily capitalised, the NTLM and Lan Manager
responses are the same in Firefox but different in NTLMAPS,
and the proxy sets different flags from Firefox.  Why?

Of course, the proxy is written in Python, so theoretically
I can get in there and fix it.  Except of course that the
authors have left little documentation on how the code works
(half of the code contains no docstrings and the rest is
minimal), and I'm a neophyte Python coder at best.  So
really having the source code is more of a temptation to
adger the whole project rather than a guarantee of

My question is: has anyone else had any experience with this
kind of authentication and can they give me any advice on
what to do to get my system working with the proxy?

Thanks in advance,


More information about the linux mailing list