On Wed, 2014-06-18 at 18:14 +0100, David Woodhouse wrote: > On Wed, 2014-06-18 at 10:44 +0100, David Woodhouse wrote: > > I don't have access to a proxy requiring authentication. I could perhaps > > set up squid to require basic auth, but NTLM and Kerberos are harder. If > > I could have access to a proxy that requires such, then I might be more > > inclined to implement this myself... > > It turns out to be relatively simple to set up a copy of squid to do > Basic, NTLM and Negotiate auth against Active Directory, so I've done > so. > > I've pushed some initial changes which make Basic auth work, and I may > take a look at NTLM and Kerberos/GSSAPI if nobody beats me to it. Once > it's working, I may take another look at the structure of it. With what I pushed a few minutes ago NTLM now also works, although *only* the single-sign-on version using Samba's /usr/bin/ntlm_auth helper tool and winbind. Manual NTLM authentication where you actually give it the username and password isn't implemented ? that's left as an exercise for the reader (hint: there's a LGPLv2-compatible implementation to copy from in https://git.gnome.org/browse/evolution-data-server/tree/camel/camel-sasl-ntlm.c which even supports NTLMv2. Around line 873 is the interesting part). I'm more likely to do GSSAPI next, rather than the boring gruntwork of porting that code over. But definitely not today. Do feel free to help out :) Reviewing the other code I've hastily thrown together may also prove fruitful... -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140618/356645f0/attachment.bin>