Login/Register
Configuring Git on Windows to use NTLM proxy authentication
Asked Answered
Solved gitproxyntlmmsysgit
T

5

20

I'm trying to access a repository on Github from a Windows machine that is behind a proxy that requires NTLM authentication. Neither SSH nor the git:// protocol are directly available, so I'm trying to make this work with HTTPS through the proxy.

With the help of NTLM proxy without password? I have been able to make the curl binary supplied with msysgit play nice with the proxy:

curl -U : --proxy-ntlm --proxy xxx.xxx.xx.xx:8080 https://github.com

This is successful and returns the Github home page.

However, I found an article from Feb 2010 Proxying Git that states (emphasis mine):

Unfortunately it appears that curl will always use Basic authentication with the proxy. If your proxy needs something else, perhaps NTLM for a Windows network, then you have a problem. Curl is used to handle all the http transport details and this does support the NTLM authentication method but I know of no method to pass the necessary options to curl. Git makes use of curl via its library binding so it is not enought just to replace the curl executable with a wrapper script.

I know about the core.gitproxy option in the Git configuration, but that appears to only apply to the git:// protocol. Similarly, the http.proxy option sets the address of the proxy, but provides no way to supply the appropriate options to curl.

Twofaced answered 20/2, 2011 at 22:14 Comment(4)
I think the comment in the article makes no sense. curl uses the libcurl library, which implements the support for NTLM. Whether or not git supports such functionality provided by libcurl is another matter.Gotham
BTW, you can try to use iptables to redirect the requests to github.com to your own machine and make it act as a transparent proxy that then forwards to the NTLM proxy using the proper authentication. But by this time, it would easier to just setup a VPN and route the traffic to github.com through it.Gotham
@Artefacto: Yes, I understand that both git and curl use libcurl, but the question is about how to pass the required NTLM related options through git to libcurl. Also, iptables is quite out of the question because (a) the client machine is Windows, and (b) local administrator access is not available.Twofaced
I think it's a just a matter of using curl_easy_setopt(handle, CURLOPT_PROXYAUTH, CURLAUTH_NTLM) together with the other usual options for proxy authentication (CURLOPT_PROXY, CURLOPT_PROXY_TYPE and CURLOPT_PROXYUSERPWD).Gotham
W
17

Try Cntlm. It's a proxy designed to sit between a program that doesn't understand NTLM (e.g., Git) and a proxy that requires NTLM. It does the NTLM authentication so that the app doesn't have to.

I haven't used it so I don't know how well it works.

Whitelaw answered 25/7, 2011 at 6:18 Comment(3)
Windows version of cntlm has a nasty bug: it does not read Parent proxy from .ini file, - you must pass it as a command line arg.Dichlorodiphenyltrichloroethane
I have used ntlmaps, and it works too. You don't need admin rights to use it, which is a plus over cntlmKavanaugh
Worked wonderfully for me after setting authentication type. On Linux run cntlm -M <test-address> so that it can identify the best type available for you, not sure if you would do the same in Windows though.Desmonddesmoulins
H
5

I used CNTLM authentication proxy (although this would most likely also work for ntlmaps) so git could work and added the http and https proxy as http:// localhost:3218. Git would take a very long time to do any remote action like fetch, pull, or clone.

The fix for this was to switch to use this instead: http:// 127.0.0.1:3218

After this was changed in the .gitconfig it worked much faster.

NB: Remove the spaces between http:// and 127.0.0.1

Ex:

[http] proxy = http:// 127.0.0.1:3128 [https] proxy = http:// 127.0.0.1:3128

Herold answered 28/4, 2014 at 19:36 Comment(5)
If using localhost takes longer, then you have a broken name resolution system. With a properly configured system, using localhost and 127.0.0.1 should be equivalent performance.Twofaced
Thanks jhamm, localhost did not work but 127.0.0.1 works like a charm !Dominickdominie
I have waited +/- 7 minutes for git commands for months now, changing from localhost to 127.0.0.1 brought that down to 2 seconds. This needs more upvotes!Detwiler
@Greg Hewgill more likely, it's a bug in GIT as nslookup localhost returns instantly with 127.0.0.1. No other software OR scripts that I have that use the proxy have any delay when connecting to a proxy at localhost. Git took 2.5 minutes before connecting, now instant with 127.0.0.1.Accommodation
Rather than set your proxy in git configs, I would recommend using netsh. On the command line you can set this like netsh winhttp set proxy http://127.0.0.1:3128 The advantage of doing it this way is that it will affect not only git but other apps you may need to use such as curl and npm.Renn
N
3

Thanks for @richard-hansen for pointing out Cntlm. It provides a non-windows adapter for windows proxy. Very neat.

Here are the exact steps that worked for me:

  1. Download and install Cntlm for windows.
  2. Open Cntlm.ini (It is in the installation folder.)
  3. Update username, domain. Save it.
  4. Run cntlm -I -M http://google.com from command line.
  5. Cntlm will ask the password you will use for the proxy server. Give it. (Most likely it is your windows password)
  6. Cntlm will identify authentication method and generate a key. Pick up that result. (e.g. NTLMv2 77B9081511704EE852F94227CF48A793)
  7. Update Cntlm.ini with this info. (Uncomment appropriate authentication and update the key)
  8. Save and close.
  9. Now you need to start Cntlm proxy server. net start cntlm
  10. Now update the application with Cntlm proxy info. For Cntlm it is, 127.0.0.1:3128 (This info is in ini file. If you want it different change it there). In case of git git config --global http.proxy 127.0.0.1:3128
  11. git should work fine through the proxy now.

Good luck! Elaborate steps here.

Norther answered 20/2, 2011 at 22:14 Comment(0)
A
1

With mysysgit 1.9.5 (or perhaps earlier versions too, but untested) you can do it without embedding username and password in plain text config file on disk.

git client using GSSAPI for NTLM proxy authentication

And this does not require cntlm.

Agram answered 6/4, 2015 at 10:39 Comment(0)
N
0

Option http.proxy works perfectly fine for NTLM proxy on windows, check my following answer in a similar question:

https://mcmap.net/q/470201/-does-git-clone-work-through-ntlm-proxies

Njord answered 11/8, 2018 at 19:52 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.