NTLM代理没有密码?
我使用 HTTP 代理在公司 Windows 网络(我登录的网络)上工作。 当我使用 Internet Explorer 时,它会神奇地使用代理,而无需我输入密码。 某些其他程序似乎也可以管理此问题,例如 JavaWebStart 有一个“使用浏览器设置”选项。
然而,当我使用像curl或wget这样的脚本/程序从http获取东西,或者在我的Java代码中执行它时,我似乎需要将我的密码存储在某个地方,这显然不是最好的安全性。
如何以编程方式获得 Internet Explorer 的无密码访问权限?
我认为这是一个堆栈溢出问题,因为我是一名程序员,我需要我的程序/脚本才能工作无需输入密码,尽管我可以看到其他人可能认为它属于服务器故障/超级用户。
我知道像curl中的--proxy-ntlm这样的设置,但这仍然需要ntlm用户名和密码。
I work on a corporate windows network (which I log in to) with a HTTP proxy. When I use Internet Explorer it magically uses the proxy without me needing to type in my password. Certain other programs seem to manage this too, like JavaWebStart has a "use browser settings" option.
However when I use scripts/programs like curl or wget to fetch stuff from http, or do it within my Java code I seem to need to have my password stored somewhere, which obviously isn't best for security.
How can I get the password-less access that internet explorer has in a programmatic way?
I'm arguing this is a stack overflow question because I'm a programmer and I need my programs/scripts to work without typing in the password, though I can see that others might think it belongs on Server Fault/Superuser.
I know about settings like --proxy-ntlm in curl, but this still requires an ntlm username and password.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在没有其他人回答的情况下,这是我发现的,我希望它对其他人有用。
执行摘要:
curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com更详细的解释
用于身份验证的神奇短语使用Windows登录机制是SSPI。 这给出了一个很好的谷歌搜索短语。 不过,我仍然没有找到在 java 或 wget 中使用 SSPI 进行 HTTP 代理身份验证的好方法。
但是,curl(下载工具) 确实支持 SSPI,但仅在某些版本中支持。 不幸的是,默认的 cygwin 构建不是其中之一。 您可以通过获取详细版本信息来了解您的curl版本是否支持SSPI:
如果支持SSPI,则会在功能行中提及。
要获得支持 SSPI 的 Windows 版本,我必须访问 http://curl。 haxx.se/latest.cgi?curl=win32-ssl,然后将下载选项更改为 Windows、zip、启用 SSL、启用 SSPI (7.19.5)。 当您阅读本文时,版本号可能已更改。
然后,这从命令行静默失败。 当我从 Windows 资源管理器运行时,我收到一条有关缺少 libeay32.dll 的消息。 从 Windows 获取此信息的一种方法是从 openssl.org 上的唯一链接到 < a href="http://www.slproweb.com/products/Win32OpenSSL.html" rel="noreferrer">Windows 版本。 该节目的制作者请求捐款以支付带宽费用。 另一种方法是从源代码构建自己的方法。
毕竟,curl 使用以下命令行:
-U :配置没有密码,其他命令行选项设置代理。 您可能需要更改代理和端口设置。如果 cygwin 的curl 版本支持 SSPI,这一切都会容易得多。 我现在要提出请求。
In the absence of an answer from someone else here is what I have discovered, I hope it is useful for someone else.
Executive Summary:
curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.comMore detailed explanation
The magic phrase for authentication using the Windows login mechanism is SSPI. This gives a good google search phrase. I still haven't found a good way of using SSPI for HTTP proxy authentication in java or wget though.
However, curl (the download tool) does support SSPI but only in certain builds. Unfortunately the default cygwin build is not one of them. You can find out if your build of curl supports SSPI by getting the verbose version information:
If SSPI is supported it will be mentioned in the features line.
To get a windows version that supported SSPI I had to go to http://curl.haxx.se/latest.cgi?curl=win32-ssl and then change the download choice to Windows, zip, SSL-enabled, SSPI-enabled (7.19.5). By the time you read this the version number may have changed.
This then silently failed from the command line. When I ran from windows explorer I got a message about a missing libeay32.dll. One way of getting this from windows is from the only link at openssl.org to a windows version. The producer of this requests a donation to cover bandwidth costs. Another way would be to build your own from source.
And after all that curl worked with the following command line:
The
-U :configures no password, the other commandline options set up the proxy. You'll probably have to change your proxy and port settings.This would all be much easier if only cygwin's curl release supported SSPI. I'm going to go put in a request for that now.
请注意,我的编辑包含关于 -U 和 -u 的不准确假设。 我已经提交了更正,但在临时注释中:
因此,第一个命令应该是:
第二个命令应该是: 在透明 NTLM 的示例中:
抱歉!
Please note my edit contains an inaccurate assumption about -U and -u. I have submitted a correction, but in the interim note:
Therefore, the first command should be:
and the second one, in the example for transparent NTLM:
Sorry about that!
可能有点晚了,但还是想提一下。 最初的问题一般是询问用户已经登录的 Windows 上的 NTLM 代理身份验证,无需密码。毫无疑问,curl 可以做到这一点,但我想提供另一个选项。
NTLMAps 和 Cntlm 是作为中间代理执行 NTLM 身份验证的代理。 然而,它们都需要用户/密码,因为它们主要针对 Linux 用户。 我过去曾在 Windows 上使用过这些工具,但对必须向它们提供凭据的相同要求感到恼火。
因此,我编写了 Px for Windows,它是一个与上面两个类似的 HTTP 代理,但使用SSPI 通过公司代理管理所需的身份验证。 您需要配置的只是代理服务器和端口。 它有助于无法通过 NTLM 代理(例如 pip 和 npm)进行通信的现有应用程序。
为了开发您自己的应用程序,代码还应该有助于弄清楚如何在 Python 以及可能可以访问 SSPI 的语言中执行此操作。
Might be a bit late but wanted to mention this nonetheless. The original question is generically asking about NTLM proxy auth without passwords on Windows where user has already logged in. No doubt curl can do this but I wanted to give another option.
NTLMAps and Cntlm are proxies that do the NTLM auth as an intermediary proxy. However, they both require the user/pass since they are mostly targeted towards Linux users. I historically used these tools on Windows but was annoyed by the same requirement of having to provide the credentials to them.
As a result, I've authored Px for Windows which is an HTTP proxy like the above two, but uses SSPI to manage the required authentication with the corporate proxy. All you need to configure is the proxy server and port. It helps for existing applications that cannot talk through NTLM proxies such as pip and npm for example.
For developing your own apps, the code should also help figure out how to do this within Python and perhaps languages which have access to SSPI.