Local configuration file for Cntlm

Question

I'm working behind a corporate proxy in a terminal shared by multiple users. We use Cntlm in order to connect to the Internet. As each user has its own credentials, I was wondering whether it would be possible to use a local configuration file (something like: ~/.cntlm) rather than a global one (/etc/cntlm.conf).

As I didn't find a way to do it through Cntlm itself, I thought of turning the standard /etc/cntlm.conf into a symlink that would point to $HOME/.cntlm, i.e., each user would have a .cntlm file with its credentials in its home directory. The idea was to start the Cntlm service after the user logged in and have the system to dynamically resolve the symlink to the current user's home directory. That sounded smart at first, but then I found out that variable symlinks are simply not allowed in Linux as discussed here and here.

It's worth noting that, in our case, only one user is logged in at any given time. Also, I'm looking for solutions that don't let sensitive information "exposed", such as locally exporting the environment variables http_proxy and https_proxy (as suggested elsewhere). The problem in this approach is that every user has root access to the machine and the login/password used are from LDAP and give access to other systems as well. At this point, I want to put strong emphasis that I'm not concerned with any attempt from me or my colleagues of causing any harm to anyone. I'm just investigating the software limitations. That said, although I trust my colleagues, I see no reason to leave the password hardcoded instead of storing its hash (as Cntlm does in cntlm.conf) or using some other tool (if exists) that implements a yet better protection mechanism (eg.: encryption, password prompt in first usage, etc).

I'm aware that, because everyone has root access to the machine, having one configuration file per user doesn't prevent someone of using someone else's credentials to access the Internet, which would cause the remote proxy to log all accesses as coming from the wrong user (everything is monitored), which is obviously bad. I think that all these concerns are pretty obvious, so I'm probably missing something here (using the wrong tool for the job, maybe?).

So, here's my two questions:

1. How can I set Cntlm (or an alternative tool you may suggest) so that multiple users (with only one active user in the system at a time) can connect to the Internet through a proxy using their own credentials in a minimally secure setting?

2. In case it were multiple users logged in at the same time, is there any tool that properly coordinates/serves the requests based on individual configuration files?

EDIT:

Maybe I wasn't clear enough in my question. Our problem is related to the use of console applications, such as git, curl, wget, etc. There's no problem in the browser because it prompts for the credentials and also give the option to store them. Git, for instance, allows the set up of a proxy. The same is true for most other applications, but having to set up each application separately is really annoying. That's why we are using Cntlm.

Answer 1

The solution we use is not to put any credential information in cntlm.conf.

In this case, when the browser connects to the cntlm, cntlm will raise a "407 Proxy Authentication Required" and the browser will prompt for username and password. The browser can usually then be convinced to store the password in its - or in the case of Chrome, at least, in Ubuntu's - encrypted password store.

This will be much more secure than putting the password into a user specific config file.

Here is our configuration:

Domain          ADDomain
Proxy           proxy.example.com:8080
Listen          3128
NTLMToBasic     yes
NoProxy *.example.com