21

I'm trying to access a repository on Github from a Windows machine that is behind a proxy that requires NTLM authentication. Neither SSH nor the git:// protocol are directly available, so I'm trying to make this work with HTTPS through the proxy.

With the help of NTLM proxy without password? I have been able to make the curl binary supplied with msysgit play nice with the proxy:

curl -U : --proxy-ntlm --proxy xxx.xxx.xx.xx:8080 https://github.com

This is successful and returns the Github home page.

However, I found an article from Feb 2010 Proxying Git that states (emphasis mine):

Unfortunately it appears that curl will always use Basic authentication with the proxy. If your proxy needs something else, perhaps NTLM for a Windows network, then you have a problem. Curl is used to handle all the http transport details and this does support the NTLM authentication method but I know of no method to pass the necessary options to curl. Git makes use of curl via its library binding so it is not enought just to replace the curl executable with a wrapper script.

I know about the core.gitproxy option in the Git configuration, but that appears to only apply to the git:// protocol. Similarly, the http.proxy option sets the address of the proxy, but provides no way to supply the appropriate options to curl.

Community
  • 1
  • 1
Greg Hewgill
  • 951,095
  • 183
  • 1,149
  • 1,285
  • I think the comment in the article makes no sense. curl uses the libcurl library, which implements the support for NTLM. Whether or not git supports such functionality provided by libcurl is another matter. – Artefacto Feb 20 '11 at 22:38
  • BTW, you can try to use iptables to redirect the requests to `github.com` to your own machine and make it act as a transparent proxy that then forwards to the NTLM proxy using the proper authentication. But by this time, it would easier to just setup a VPN and route the traffic to github.com through it. – Artefacto Feb 20 '11 at 22:43
  • @Artefacto: Yes, I understand that both git and curl use libcurl, but the question is about how to pass the required NTLM related options through git to libcurl. Also, iptables is quite out of the question because (a) the client machine is Windows, and (b) local administrator access is not available. – Greg Hewgill Feb 20 '11 at 22:49
  • I think it's a just a matter of using `curl_easy_setopt(handle, CURLOPT_PROXYAUTH, CURLAUTH_NTLM)` together with the other usual options for proxy authentication (`CURLOPT_PROXY`, `CURLOPT_PROXY_TYPE` and `CURLOPT_PROXYUSERPWD`). – Artefacto Feb 20 '11 at 22:53

5 Answers5

17

Try Cntlm. It's a proxy designed to sit between a program that doesn't understand NTLM (e.g., Git) and a proxy that requires NTLM. It does the NTLM authentication so that the app doesn't have to.

I haven't used it so I don't know how well it works.

Richard Hansen
  • 51,690
  • 20
  • 90
  • 97
  • 1
    Windows version of cntlm has a nasty bug: it does not read Parent proxy from .ini file, - you must pass it as a command line arg. – Giorgi Chakhidze Jan 31 '12 at 12:06
  • 1
    I have used ntlmaps, and it works too. You don't need admin rights to use it, which is a plus over cntlm – Juancentro Aug 30 '13 at 18:51
  • Worked wonderfully for me after setting authentication type. On Linux run `cntlm -M ` so that it can identify the best type available for you, not sure if you would do the same in Windows though. – Herick Nov 05 '14 at 18:31
5

I used CNTLM authentication proxy (although this would most likely also work for ntlmaps) so git could work and added the http and https proxy as http:// localhost:3218. Git would take a very long time to do any remote action like fetch, pull, or clone.

The fix for this was to switch to use this instead: http:// 127.0.0.1:3218

After this was changed in the .gitconfig it worked much faster.

NB: Remove the spaces between http:// and 127.0.0.1

Ex:

[http] proxy = http:// 127.0.0.1:3128 [https] proxy = http:// 127.0.0.1:3128

jhamm
  • 1,858
  • 21
  • 19
  • If using `localhost` takes longer, then you have a broken name resolution system. With a properly configured system, using `localhost` and `127.0.0.1` should be equivalent performance. – Greg Hewgill Apr 28 '14 at 20:04
  • Thanks jhamm, localhost did not work but 127.0.0.1 works like a charm ! – pierrefevrier Oct 21 '14 at 09:24
  • I have waited +/- 7 minutes for git commands for months now, changing from localhost to 127.0.0.1 brought that down to 2 seconds. This needs more upvotes! – Nino van Hooff Jan 13 '15 at 14:45
  • @Greg Hewgill more likely, it's a bug in GIT as `nslookup localhost` returns instantly with `127.0.0.1`. No other software OR scripts that I have that use the proxy have any delay when connecting to a proxy at `localhost`. Git took 2.5 minutes before connecting, now instant with `127.0.0.1`. – Adam Kerz Mar 09 '15 at 01:47
  • Rather than set your proxy in git configs, I would recommend using netsh. On the command line you can set this like `netsh winhttp set proxy http://127.0.0.1:3128` The advantage of doing it this way is that it will affect not only git but other apps you may need to use such as curl and npm. – Okonomiyaki3000 Mar 01 '16 at 01:53
3

Thanks for @richard-hansen for pointing out Cntlm. It provides a non-windows adapter for windows proxy. Very neat.

Here are the exact steps that worked for me:

  1. Download and install Cntlm for windows.
  2. Open Cntlm.ini (It is in the installation folder.)
  3. Update username, domain. Save it.
  4. Run cntlm -I -M http://google.com from command line.
  5. Cntlm will ask the password you will use for the proxy server. Give it. (Most likely it is your windows password)
  6. Cntlm will identify authentication method and generate a key. Pick up that result. (e.g. NTLMv2 77B9081511704EE852F94227CF48A793)
  7. Update Cntlm.ini with this info. (Uncomment appropriate authentication and update the key)
  8. Save and close.
  9. Now you need to start Cntlm proxy server. net start cntlm
  10. Now update the application with Cntlm proxy info. For Cntlm it is, 127.0.0.1:3128 (This info is in ini file. If you want it different change it there). In case of git git config --global http.proxy 127.0.0.1:3128
  11. git should work fine through the proxy now.

Good luck! Elaborate steps here.

rpattabi
  • 9,984
  • 5
  • 45
  • 53
1

With mysysgit 1.9.5 (or perhaps earlier versions too, but untested) you can do it without embedding username and password in plain text config file on disk.

git client using GSSAPI for NTLM proxy authentication

And this does not require cntlm.

Community
  • 1
  • 1
JonT
  • 502
  • 4
  • 13
0

Option http.proxy works perfectly fine for NTLM proxy on windows, check my following answer in a similar question:

https://stackoverflow.com/a/10848870/352672

Nelson
  • 49,283
  • 8
  • 68
  • 81