Cannot update suse via proxy


I have installed OpenSuse 11.4(KDE) on my machine.
I am using a proxy to connect to the internet.
I have configured KNetworkManager as well as set the proxy settings in Yast.

Though i am able to connect through Mozilla Firefox, I cannot update or install software via Yast (and zypper)

The following error is returned when run

sudo zypper update

Retrieving repository 'openSUSE-11.4-Non-Oss' metadata \]
Download (curl) error for '':
Error code: HTTP response: 407
Error message: The requested URL returned error: 407

My password contains special characters @ # and $.
My username for connecting is: xyz\myname

I have tried modifying the /etc/sysconfig/proxy to contain http_proxy as


but it doesn’t work. I guess it is taking my domain as #$ that’s why this error is coming up.

Any help ?

Try to set URL, user name and password in Yast/Network Services/Proxy module. There are special fields for URL and proxy username, password separately.

I have tried doing that.
When I click Test Connection I get the following error:

  • About to connect() to proxy port 80 (#0)
  • Trying… % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0connected

  • Connected to ( port 80 (#0)
  • Proxy auth using Basic with user ‘xyz\myname’
    > GET NOVELL Worldwide HTTP/1.1
    > Proxy-Authorization: Basic Y2RhY25vaWRhXFxzaWRkaGFydGhzcml2YXN0YXZhOnNyaUAjJA==
    > User-Agent: curl/7.21.2 (i686-pc-linux-gnu) libcurl/7.21.2 OpenSSL/1.0.0c zlib/1.2.5 libidn/1.15 libssh2/1.2.7
    > Host: NOVELL Worldwide
    > Accept: /
    > Proxy-Connection: Keep-Alive
    < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
    < Via: 1.1 PR
  • gss_init_sec_context() failed: : Credentials cache file ‘/tmp/krb5cc_0’ not foundProxy-Authenticate: Negotiate
    < Proxy-Authenticate: Kerberos
    < Proxy-Authenticate: NTLM
  • Authentication problem. Ignoring this.
    < Proxy-Authenticate: Basic realm=“”
    < Connection: close
  • HTTP/1.1 proxy connection set close!
    < Proxy-Connection: close
    < Pragma: no-cache
    < Cache-Control: no-cache
    < Content-Type: text/html
    < Content-Length: 4104
    { [data not shown]

100 4104 100 4104 0 0 234k 0 --:–:-- --:–:-- --:–:-- 333k* Closing connection #0

My organization’s proxy maps validity based on hostname, username and password
Following are those details:
Hostname: myname
Username: xyz\myname
Password: pwd@#$

You have to use cntlm . Thats for proxy authentication on proxies which use ntlm-protocol.
zypper up
zypper install cntlm

There is a config file in /etc → cntlm.conf
And you have to write the port number to Yast into the proxy settings

I tried with cntlm but it didn’t help

I did the following:

Username: myname
Domain: xyz
Password: pwd@#$ #note special characters @ and #

In Yast proxy configuration, I Enabled Proxy and wrote: and removed from bypass

But it didn’t work out :frowning:

you must start cntlm
and write your hashed pwd into described /etc/cntlm.conf
cntlm -H
hide/hashes your pwd
take a look in documentation on Cntlm: Fast NTLM Authentication Proxy in C
Maybe there is somewhere a tutorial into the web. But i can not search one for you. No time … sry

Just a FYI -
I see you’re using Microsoft ISA as your proxy server. That poses unique issues because Microsoft ISA best performs when integrated with Windows Domain Security (is that a surprise?). As you note, Windows Domain security can inspect by Hostname and Username/Password.
Am guessing a bit, but I can’t remember that ISA supports BASIC authentication, IIRC you must encrypt with NTLM if you’re passing username/password.

There a number of ways to configure access

  • Join your openSUSE to the Windows Domain, then your credentials should be automatically encrypted with NTLM
  • You can configure authentication based on the Host IP address, that bypasses the Windows Domain credentials requirement. Of course, this is a bit less secure because anyone on your network can also masquerade as this address to gain the same firewall privileges.
  • You can configure HTTP “pass through.” That’s not very advisable, your ISA SysAdmin should know how to do that if you ultimately decide to do that.

I do not recommend trying to configure any other way of passing NTLM credentials, I wouldn’t advise leaving NTLM hashes lying around your network, they should only be stored in the Domain Controllers and SAM databases.


Thanks all for your suggestions. The reason for cntlm to fail was that password consisted of special characters.
I tried generating hash using

sudo /usr/sbin/cntlm -H

and then supplying my password.
It generated 3 passwords: LM, NT and NTLMv2

I put them all in my cfg file, but then it has again started giving HTTP 407 error.
Is the hashed password need to be specified somewhere else ?

Did you do, what was described above? :
“And you have to write the port number to Yast into the proxy settings
And - because it seems the simplest here - restart your machine.

I was able to get cntlm working. But the problem is that it works only if I supply my password as it is in the cntlm.cfg.
If I replace the password with the hash produced by -H, the proxy again stops working.