Connecting to an SSH server from Client behind an NTLM Proxy


I'm trying to get to my SSH server on the internet from a corporate network. All connections to the outside internet have to be proxied through a server that check's for the NTLM hash of each client on each request. I'm using Cntlm for that, and it's only half working. It's working fine for HTTP based connections, but it's not working for SSH style connections. I know this because, I can connect to Sublime Text's Package Control Plugin to get and update plugins. I however, can not use it to SSH into my server using Cntlm's Tunnel configuration.

Looking into Cntlm's logs, I can see the following …

cntlm: PID 1460: TUNNEL
Tunneling to for client 6...
Starting authentication...
NTLM Request:
       Domain: domain.tld
     Hostname: D-HOSTNAME
        Flags: 0xA208B205

NTLM Handshake (Type 1)

Sending PROXY auth request...
Proxy-Connection               => keep-alive
Proxy-Authorization            => NTLM [REDACTED]
Content-Length                 => 0

Reading PROXY auth response …

HEAD: HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
Via                            => 1.1 FOLLICLE
Proxy-Authenticate             => NTLM [REDACTED]
Connection                     => Keep-Alive
Proxy-Connection               => Keep-Alive
Pragma                         => no-cache
Cache-Control                  => no-cache
Content-Type                   => text/html
Content-Length                 => 0
NTLM Challenge:
    Challenge: 4AC9211DC2875FFF (len: 178)
        Flags: 0xA2898205
    NT domain: NTDOMAIN
       Server: PROXY
       Domain: domain.tld
         FQDN: proxy.domain.tld
          TLD: domain.tld
        TBofs: 64
        TBlen: 114
        ttype: 0
        Nonce: CB4E6617ABF19C24
    Timestamp: -1581153408
NTLM Response:
     Hostname: 'D-HOSTNAME'
       Domain: 'domain.tld'
     Username: 'username'
     Response: '[REDACTED]' (162)
     Response: '[REDACTED]' (24)
Sending real request:
Proxy-Connection               => keep-alive
Proxy-Authorization            => NTLM [REDACTED]

And finally I get this …

Reading real response:
HEAD: HTTP/1.1 200 Connection established
Via                            => 1.1 PROXY
Connection                     => Keep-Alive
Proxy-Connection               => Keep-Alive
Ok CONNECT response. Tunneling...
tunnel: select cli: 6, srv: 7
Joining thread 537272664; rc: 0

Because the firewall only allows connections to the outside internet through the proxy server from port 80 and port 443, I reconfigured my SSH server to accept connections from port 443.

The problem I'm seeing is that once I try an SSH connection the connection reports as connection timeout from Sublime Text when using the SFTP plugin. Using PuTTY results in an instant PuTTY Fatal Error: Server unexpectedly closed network connection. Google Chrome Extension Secure Shell gives me a more detailed error of ssh_exchange_identification: Connection closed by remote host
NaCl plugin exited with status code 255.

Cntlm Configuration

# The username of the client you wish to masquerade as.
Username    username

# The domain name of the network you are connected too.
Domain      domain.tld

# The Password, LM, NTLM, or NTLMv2 Password.
# You should leave this blank and then start cntlm
# with the -M arg to get the hash information, then
# place that information here.

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
Workstation D-HOSTNAME

# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
Proxy       PROXY:8080

# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on by default
Listen      3128

# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
Auth        NTLMv2

# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>

This is the configuration section that I'm using for the Tunnel within Cntlm.

PuTTY Configuration

IP:PORT     localhost:1443

This is what I'm using for the PuTTY connection.

Sublime Text

"http_proxy": "http://localhost:3128",

Any idea's what I can do to fix this? I would like to SSH into my server, there must be a way to do this using only Cntlm's Tunneling feature, I just don't know what I am doing wrong.

I can tell you that I can connect to my SSH server using port 443 from outside of the corporate network.

Best Answer

I was getting the 407 response when trying to connect to an SSH server through CNTLM with Putty. The Forefront TMG proxy was objecting to DNS lookups from PuTTY not the SSH traffic itself. You need to turn off Do DNS name lookups at proxy end in the Proxy page of PuTTY Configuration. The No setting works, Auto or Yes will result in the 407 response.

Related Question