Does git clone work through NTLM proxies?

Question

I\'ve tried both using export http_proxy=http://[username]:[pwd]@[proxy] and git config --global http.proxy http://[username]:[pwd]@[proxy].

Answer 1

Since this was a question I kept finding on my search to make this work, I'll add my answer here.

I needed to get access to a github.com hosted repo working via an http(s) proxy (that requires NTLM authentication) on one network, and have it still work when on a normal internet connection, from our Mac OS X dev machines.

Here is how I made it work. This won't work for every git hosting provider, but I'm posting in case it helps you figure this out. This is also only for Mac OS X, but if you figure out how to run something on network change for your system, the rest should follow.

I had to use git clone git@github.com:user/repo.git after setting up ssh access as normal (http://help.github.com/mac-set-up-git/).

I then needed to setup a local http(s) proxy that handles the NTLM authentication, such as ntlmaps, cntlm or Authoxy. I've tested with Authoxy. I'll leave configuring this to you, because you'll need to know your own proxy details.

You'll also need corkscrew, which is just sudo port install corkscrew if you have MacPorts.

Then I added the following to ~/.ssh/config:

Host github.com.disabled
User git
HostName ssh.github.com
Port 443
ProxyCommand /opt/local/bin/corkscrew localhost 6574 %h %p

Where 6574 is the TCP port I set Authoxy to listen on.

Now I created a script that tries to find the http(s) proxy server, and configures the ssh setup according to what it finds, at /usr/local/bin/locationchanger:

#!/bin/sh

set -o nounset
set -o errexit

sleep 10 # allow for WiFi to actually connect.

# if we can find the proxy server, then use it.
if ! host proxy.internal.network;
then
    echo "Proxy server not found, clearing http(s) proxy";
    sed -i '.backup' -E 's/^Host github.com$/Host github.com.disabled/' "$HOME/.ssh/config"
else
    echo "Proxy server found, setting http(s) proxy";
    sed -i '.backup' -E 's/^Host github.com.disabled$/Host github.com/' "$HOME/.ssh/config"
fi
echo "Done."

Don't forget to chmod +x /usr/local/bin/locationchanger.

Now create ~/Library/LaunchAgents/LocationChanger.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
    "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>tech.inhelsinki.nl.locationchanger</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/locationchanger</string>
    </array>
    <key>WatchPaths</key>
    <array>
        <string>/Library/Preferences/SystemConfiguration</string>
    </array>
</dict>
</plist>

And then launchctl load ~/Library/LaunchAgents/LocationChanger.plist. This launchd job will run whenever the network changes. If it can find your internal network http(s) proxy server, it will make ssh use corkscrew to work through Authoxy, which will handle working through the company proxy. If it can't find the proxy server, it will disable the special ssh config, and you're working just like normal.

Now our team doesn't have to think about network switching anymore.

Answer 2

AndreaG (in a comment above) has the only acceptable answer to this problem that I can find. It seems that Git just won't work with NTLM proxies even though it really should because cURL (which it uses underneath) does work just fine. Why this issue can't be fixed I have no idea. It seems to be a fairly common issue.

The solution, in full then, is to use ntlmaps to act as a proxy to the proxy. All you need to do is to download the latest version of the app from: http://ntlmaps.sourceforge.net/

Change the config file to include your authentication and proxy details and then set the proxy to be your new local one:

git config --global http.proxy http://localhost:5865

I can confirm that it works just fine. Not only that you can use it for any app that requires NTLM authentication but does not provide full NTLM support.

Answer 3

Git supports NTLM proxy authentication from version 1.7.10 onwards, relevant commit is https://github.com/gitster/git/commit/dd6139971a18e25a5089c0f96dc80e454683ef0b

1.7.10 release notes briefly mentioned it as:

* HTTP transport learned to authenticate with a proxy if needed.

I've successfully tested it with the proxy at my workplace which is NTLM and requires user/pass, you can test yourself with following commands:

git config --global http.proxy http://user:password@proxy.com:port
git clone http://git.videolan.org/git/bitstream.git

Regards,