Cannot update suse via proxy

siddharth011 · September 28, 2011, 8:34am

Hi

I have installed OpenSuse 11.4(KDE) on my machine.
I am using a proxy to connect to the internet.
I have configured KNetworkManager as well as set the proxy settings in Yast.

Though i am able to connect through Mozilla Firefox, I cannot update or install software via Yast (and zypper)

The following error is returned when run

sudo zypper update

Retrieving repository 'openSUSE-11.4-Non-Oss' metadata \]
Download (curl) error for 'http://download.opensuse.org/distribution/11.4/repo/non-oss/repodata/repomd.xml':
Error code: HTTP response: 407
Error message: The requested URL returned error: 407

My password contains special characters @ # and $.
My username for connecting is: xyz\myname

I have tried modifying the /etc/sysconfig/proxy to contain http_proxy as

http://zyz\myname:pwd@#$@10.0.0.7:80/

but it doesn’t work. I guess it is taking my domain as #$10.0.0.7 that’s why this error is coming up.

Any help ?

isemionov · September 28, 2011, 10:55am

Try to set URL, user name and password in Yast/Network Services/Proxy module. There are special fields for URL and proxy username, password separately.

siddharth011 · September 28, 2011, 11:18am

I have tried doing that.
When I click Test Connection I get the following error:

About to connect() to proxy 10.0.0.7 port 80 (#0)

Trying 10.0.0.4… % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0connected

Connected to 10.0.0.7 (10.0.0.7) port 80 (#0)

Proxy auth using Basic with user ‘xyz\myname’
> GET NOVELL Worldwide HTTP/1.1
> Proxy-Authorization: Basic Y2RhY25vaWRhXFxzaWRkaGFydGhzcml2YXN0YXZhOnNyaUAjJA==
> User-Agent: curl/7.21.2 (i686-pc-linux-gnu) libcurl/7.21.2 OpenSSL/1.0.0c zlib/1.2.5 libidn/1.15 libssh2/1.2.7
> Host: NOVELL Worldwide
> Accept: /
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
< Via: 1.1 PR

gss_init_sec_context() failed: : Credentials cache file ‘/tmp/krb5cc_0’ not foundProxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM

Authentication problem. Ignoring this.
< Proxy-Authenticate: Basic realm=“pr.xyz.in”
< Connection: close

HTTP/1.1 proxy connection set close!
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 4104
<
{ [data not shown]

100 4104 100 4104 0 0 234k 0 --:–:-- --:–:-- --:–:-- 333k* Closing connection #0

My organization’s proxy maps validity based on hostname, username and password
Following are those details:
Hostname: myname
Username: xyz\myname
Password: pwd@#$

curlysuewalter · September 28, 2011, 12:15pm

You have to use cntlm . Thats for proxy authentication on proxies which use ntlm-protocol.
zypper up
zypper install cntlm

There is a config file in /etc → cntlm.conf
And you have to write the port number to Yast into the proxy settings
http://127.0.0.1:3128

siddharth011 · September 28, 2011, 12:40pm

I tried with cntlm but it didn’t help

I did the following:

Username: myname
Domain: xyz
Password: pwd@#$ #note special characters @ and #
Proxy 10.0.0.4:80

In Yast proxy configuration, I Enabled Proxy and wrote: http://127.0.0.1:3128/ and removed 127.0.0.1 from bypass

But it didn’t work out

curlysuewalter · September 28, 2011, 2:11pm

you must start cntlm
and write your hashed pwd into described /etc/cntlm.conf
cntlm -H
hide/hashes your pwd
take a look in documentation on Cntlm: Fast NTLM Authentication Proxy in C
Maybe there is somewhere a tutorial into the web. But i can not search one for you. No time … sry

tsu2 · September 28, 2011, 5:40pm

Just a FYI -
I see you’re using Microsoft ISA as your proxy server. That poses unique issues because Microsoft ISA best performs when integrated with Windows Domain Security (is that a surprise?). As you note, Windows Domain security can inspect by Hostname and Username/Password.
Am guessing a bit, but I can’t remember that ISA supports BASIC authentication, IIRC you must encrypt with NTLM if you’re passing username/password.

There a number of ways to configure access

Join your openSUSE to the Windows Domain, then your credentials should be automatically encrypted with NTLM
You can configure authentication based on the Host IP address, that bypasses the Windows Domain credentials requirement. Of course, this is a bit less secure because anyone on your network can also masquerade as this address to gain the same firewall privileges.
You can configure HTTP “pass through.” That’s not very advisable, your ISA SysAdmin should know how to do that if you ultimately decide to do that.

I do not recommend trying to configure any other way of passing NTLM credentials, I wouldn’t advise leaving NTLM hashes lying around your network, they should only be stored in the Domain Controllers and SAM databases.

HTH,
Tony

siddharth011 · September 29, 2011, 6:47am

Thanks all for your suggestions. The reason for cntlm to fail was that password consisted of special characters.
I tried generating hash using


sudo /usr/sbin/cntlm -H

and then supplying my password.
It generated 3 passwords: LM, NT and NTLMv2

I put them all in my cfg file, but then it has again started giving HTTP 407 error.
Is the hashed password need to be specified somewhere else ?

curlysuewalter · September 29, 2011, 6:52pm

Did you do, what was described above? :
“And you have to write the port number to Yast into the proxy settings
http://127.0.0.1:3128”
And - because it seems the simplest here - restart your machine.

siddharth011 · September 29, 2011, 7:31pm

I was able to get cntlm working. But the problem is that it works only if I supply my password as it is in the cntlm.cfg.
If I replace the password with the hash produced by -H, the proxy again stops working.