Many corporate environments use NTLM-authenticated proxies for security, which creates headaches for developers trying to use package managers like apt-get. Unlike basic auth proxies, NTLM requires a more complex authentication handshake that apt-get doesn't natively support.
Before proceeding, ensure you have:
- Administrative access to your Ubuntu system
- Valid proxy credentials (domain\username format)
- Proxy server address and port
- Python installed (usually comes pre-installed)
The most reliable approach is to use CNTLM (a proxy that handles NTLM authentication) as an intermediate between apt-get and your corporate proxy. Here's how to set it up:
sudo apt-get install cntlm
After installation, configure CNTLM:
sudo nano /etc/cntlm.conf
Add your proxy details (example configuration):
Username your_username
Domain your_domain
Password your_password
Proxy proxy.corporate.com:8080
Listen 3128
Then restart CNTLM:
sudo service cntlm restart
Now configure apt to use your local CNTLM proxy:
sudo nano /etc/apt/apt.conf.d/proxy.conf
Add these lines:
Acquire::http::Proxy "http://127.0.0.1:3128";
Acquire::https::Proxy "http://127.0.0.1:3128";
If CNTLM doesn't work for your environment, try ntlmaps:
sudo apt-get install python
wget https://sourceforge.net/projects/ntlmaps/files/ntlmaps-0.9.9.0.1.tar.gz
tar -xzvf ntlmaps-0.9.9.0.1.tar.gz
cd ntlmaps-0.9.9.0.1
Edit server.cfg:
[Main]
ListenPort: 5865
ParentProxy: your.proxy.com:8080
ParentAuth: NTLM
Verify everything works by running:
sudo apt-get update
If you encounter errors, check CNTLM's logs:
tail -f /var/log/cntlm.log
To ensure your proxy settings survive reboots:
sudo systemctl enable cntlm
Or for older systems:
sudo update-rc.d cntlm defaults
If authentication fails:
- Verify your password hasn't expired
- Check if your domain format is correct (DOMAIN\user)
- Test your credentials with cntlm -u your_username -d your_domain -H
- Ensure no firewall is blocking port 3128
Many corporate environments enforce NTLM authentication for proxy servers, which creates headaches when trying to use Ubuntu's package management system. Unlike basic authentication, NTLM requires special handling that apt-get doesn't support natively.
The standard proxy configuration in /etc/apt/apt.conf using:
Acquire::http::Proxy "http://user:pass@proxy:port";
only works for basic authentication. NTLM requires multiple message exchanges that standard HTTP proxy connections don't handle.
The most reliable approach is to use CNTLM (Connection NTLM) as a local proxy that handles the NTLM authentication while presenting a standard proxy interface to apt-get.
Install CNTLM:
sudo apt-get install cntlm
Edit the configuration file at /etc/cntlm.conf:
Username your_username Domain your_domain Password your_password Proxy your.proxy.address:port NoProxy localhost, 127.0.0.*, 10.*, 192.168.* Listen 127.0.0.1:3128
Generate the NTLM password hashes:
sudo cntlm -H -d your_domain -u your_username
This will output hashes you should add to the config file, then replace the plaintext password with these hashes for security.
Configure apt to use the local CNTLM proxy by editing /etc/apt/apt.conf:
Acquire::http::Proxy "http://127.0.0.1:3128"; Acquire::https::Proxy "http://127.0.0.1:3128";
For temporary solutions, you can create a tunnel with ncat:
ncat --proxy-type http --proxy-auth user:pass --proxy proxy:port -l 3128
Then point apt-get to localhost:3128 as above.
If you get authentication failures:
- Verify your domain is correctly specified
- Check if your password has special characters that need escaping
- Try using the NTLMv2 hashes instead of NTLMv1
For performance issues, try adjusting the CNTLM packet size settings in the config file.
Always:
- Use hashed passwords in CNTLM config
- Restrict CNTLM to listen only on localhost
- Regularly update your package lists to detect any MITM attacks