没有密码的NTLM代理?
[英]NTLM proxy without password?
问题描述
I work on a corporate windows network (which I log in to) with a HTTP proxy. 
我使用HTTP代理在公司的Windows网络(我登录到)上工作。 When I use Internet Explorer it magically uses the proxy without me needing to type in my password. 当我使用Internet Explorer时,它神奇地使用了代理,而无需输入密码。 Certain other programs seem to manage this too, like JavaWebStart has a "use browser settings" option. 某些其他程序似乎也可以管理此操作,例如JavaWebStart具有“使用浏览器设置”选项。
However when I use scripts/programs like curl or wget to fetch stuff from http, or do it within my Java code I seem to need to have my password stored somewhere, which obviously isn't best for security. 但是,当我使用curl或wget之类的脚本/程序从http中获取内容或在Java代码中进行操作时,我似乎需要将密码存储在某个位置,这显然不是最佳的安全性。
How can I get the password-less access that internet explorer has in a programmatic way? 如何以编程方式获得Internet Explorer的无密码访问权限?
I'm arguing this is a stack overflow question because I'm a programmer and I need my programs/scripts to work without typing in the password, though I can see that others might think it belongs on Server Fault/Superuser. 我认为这是一个堆栈溢出问题,因为我是一名程序员,我需要我的程序/脚本才能运行而无需输入密码,尽管我可以看到其他人可能认为它属于服务器故障/超级用户。
I know about settings like --proxy-ntlm in curl, but this still requires an ntlm username and password. 我知道curl中的--proxy-ntlm之类的设置,但这仍然需要一个ntlm用户名和密码。
3 个解决方案
解决方案1
47 已采纳 2009-08-14 10:41:24
In the absence of an answer from someone else here is what I have discovered, I hope it is useful for someone else. 在没有其他人回答的情况下,这就是我所发现的,我希望它对其他人有用。
Executive Summary: 执行摘要:
- Download SSPI enabled curl from http://curl.haxx.se/latest.cgi?curl=win32-ssl changing to Windows, zip, SSL-enabled, SSPI-enabled (7.19.5) . 从http://curl.haxx.se/latest.cgi?curl=win32-ssl下载启用SSPI的curl,将其更改为Windows,zip,启用SSL,启用SSPI(7.19.5) 。
- Install Windows Open-SSL from http://www.slproweb.com/products/Win32OpenSSL.html and make a donation to support his bandwidth cost. 从http://www.slproweb.com/products/Win32OpenSSL.html安装Windows Open-SSL,并捐款支持他的带宽费用。
- Install the Visual C++ 2008 redistributables if you need them. 如果需要,请安装Visual C ++ 2008可再发行组件 。
- Use curl to fetch the page:
curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com使用curl来获取页面: curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com
More detailed explanation 更详细的解释
The magic phrase for authentication using the Windows login mechanism is SSPI . 使用Windows登录机制进行身份验证的妙语是SSPI 。 This gives a good google search phrase. 这给了一个很好的谷歌搜索短语。 I still haven't found a good way of using SSPI for HTTP proxy authentication in java or wget though. 我仍然没有找到在Java或wget中使用SSPI进行HTTP代理身份验证的好方法。
However, curl (the download tool) does support SSPI but only in certain builds. 但是, curl(下载工具) 确实支持SSPI,但仅在某些版本中才支持。 Unfortunately the default cygwin build is not one of them. 不幸的是,默认的cygwin版本不是其中之一。 You can find out if your build of curl supports SSPI by getting the verbose version information: 您可以通过获取详细的版本信息来确定curl的构建是否支持SSPI:
curl -v -V
If SSPI is supported it will be mentioned in the features line. 如果支持SSPI,将在功能行中提及。
To get a windows version that supported SSPI I had to go to http://curl.haxx.se/latest.cgi?curl=win32-ssl and then change the download choice to Windows, zip, SSL-enabled, SSPI-enabled (7.19.5) . 要获得支持SSPI的Windows版本,我必须转到http://curl.haxx.se/latest.cgi?curl=win32-ssl ,然后将下载选项更改为Windows,zip,启用SSL,启用SSPI (7.19.5) 。 By the time you read this the version number may have changed. 在您阅读本文时,版本号可能已更改。
This then silently failed from the command line. 然后,这从命令行静默失败。 When I ran from windows explorer I got a message about a missing libeay32.dll. 当我从Windows资源管理器中运行时,我收到一条有关缺少libeay32.dll的消息。 One way of getting this from windows is from the only link at openssl.org to a windows version . 从Windows获得此功能的一种方法是从openssl.org上的唯一链接到Windows版本 。 The producer of this requests a donation to cover bandwidth costs. 生产者要求捐赠以支付带宽成本。 Another way would be to build your own from source. 另一种方法是从源代码构建自己的资源。
And after all that curl worked with the following command line: 毕竟,curl使用以下命令行工作:
curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com
The -U : configures no password, the other commandline options set up the proxy. -U :配置密码,其他命令行选项设置代理。 You'll probably have to change your proxy and port settings. 您可能必须更改代理和端口设置。
This would all be much easier if only cygwin's curl release supported SSPI. 如果仅cygwin的curl发行版支持SSPI,这一切都将更加容易。 I'm going to go put in a request for that now. 我现在要提出要求。
解决方案2
7 2012-10-19 13:55:46
Please note my edit contains an inaccurate assumption about -U and -u. 请注意,我的编辑中关于-U和-u的假设不正确。 I have submitted a correction, but in the interim note: 我已提交更正,但在临时说明中:
curl -U = Authentication to a proxy
curl -u = Authentication to a server
Therefore, the first command should be: 因此,第一个命令应为:
curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com
and the second one, in the example for transparent NTLM: 第二个,在透明NTLM的示例中:
curl -v -u : --ntlm [the redirection URL from Location: header]
Sorry about that! 对于那个很抱歉!
解决方案3
2 2016-08-19 19:58:28
Might be a bit late but wanted to mention this nonetheless. 可能会晚一点,但还是要提一下。 The original question is generically asking about NTLM proxy auth without passwords on Windows where user has already logged in. No doubt curl can do this but I wanted to give another option. 最初的问题通常是询问用户已登录的Windows上没有密码的NTLM代理身份验证。毫无疑问curl可以做到这一点,但我想提供另一个选择。
NTLMAps and Cntlm are proxies that do the NTLM auth as an intermediary proxy. NTLMAps和Cntlm是作为中间代理进行NTLM身份验证的代理。 However, they both require the user/pass since they are mostly targeted towards Linux users. 但是,它们都需要用户名/密码,因为它们主要针对Linux用户。 I historically used these tools on Windows but was annoyed by the same requirement of having to provide the credentials to them. 我曾经在Windows上使用过这些工具,但是对必须提供凭据的相同要求感到恼火。
As a result, I've authored Px for Windows which is an HTTP proxy like the above two, but uses SSPI to manage the required authentication with the corporate proxy. 结果,我编写了Windows的Px,它是上面两个的HTTP代理,但是使用SSPI通过企业代理管理所需的身份验证。 All you need to configure is the proxy server and port. 您只需要配置代理服务器和端口即可。 It helps for existing applications that cannot talk through NTLM proxies such as pip and npm for example. 它有助于无法通过NTLM代理(例如pip和npm)进行对话的现有应用程序。
For developing your own apps, the code should also help figure out how to do this within Python and perhaps languages which have access to SSPI. 对于开发自己的应用程序,代码还应有助于弄清楚如何在Python以及可能访问SSPI的语言中执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.