Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1337796

Summary: wget couldn't support NTLM proxy or ignore system-wide proxy settings
Product: Red Hat Enterprise Linux 7 Reporter: Mikhail <mikhail.v.gavrilov>
Component: wgetAssignee: Tomáš Hozza <thozza>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 7.4CC: fkrska, jkejda, mikhail.v.gavrilov
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1784794 (view as bug list) Environment:
Last Closed: 2019-12-18 09:24:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/wgetrc none

Description Mikhail 2016-05-20 05:55:55 UTC
Description of problem:
wget couldn't support NTLM proxy, but curl support it with paramener --proxy-ntlm


$ curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz 



$ wget -V
GNU Wget 1.14 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl 

Wgetrc: 
    /etc/wgetrc (system)
Locale: /usr/share/locale 
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -O2 -g -pipe 
    -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
    --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic 
Link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
    -fstack-protector-strong --param=ssp-buffer-size=4 
    -grecord-gcc-switches -m64 -mtune=generic -lssl -lcrypto 
    /usr/lib64/libssl.so /usr/lib64/libcrypto.so /usr/lib64/libz.so 
    -ldl -lz -lz -lidn -luuid -lpcre ftp-opie.o openssl.o http-ntlm.o 
    ../lib/libgnu.a 

Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic>.
Please send bug reports and questions to <bug-wget>.


# wget -v http://rpms.remirepo.net/enterprise/remi-release-7.rpm
--2016-05-20 11:37:41--  http://rpms.remirepo.net/enterprise/remi-release-7.rpm
Connecting to 172.18.4.7:8080... connected.
Proxy request sent, awaiting response... 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  )
2016-05-20 11:37:41 ERROR 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  ).


# curl -v --proxy-ntlm -I http://rpms.remirepo.net/enterprise/remi-release-7.rpm
* About to connect() to proxy 172.18.4.7 port 8080 (#0)
*   Trying 172.18.4.7...
* Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Proxy auth using NTLM with user 'edvglu'
> HEAD http://rpms.remirepo.net/enterprise/remi-release-7.rpm HTTP/1.1
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
> User-Agent: curl/7.29.0
> Host: rpms.remirepo.net
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
< Via:1.1 ISAEG
Via:1.1 ISAEG
< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokCXLtediV72KUAAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA=
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokCXLtediV72KUAAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA=
< Pragma: no-cache
Pragma: no-cache
< Cache-Control: no-cache
Cache-Control: no-cache
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 0     
Content-Length: 0     

< 
* Connection #0 to host 172.18.4.7 left intact
* Issue another request to this URL: 'http://rpms.remirepo.net/enterprise/remi-release-7.rpm'
* Found bundle for host rpms.remirepo.net: 0x154be90
* Re-using existing connection! (#0) with host 172.18.4.7
* Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0)
* Proxy auth using NTLM with user 'edvglu'
> HEAD http://rpms.remirepo.net/enterprise/remi-release-7.rpm HTTP/1.1
> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAABgAGAHAAAAAJAAkAdgAAAAAAAAAAAAAABoKJAkblnXYcrg/BAAAAAAAAAAAAAAAAAAAAAF64tdRktf5NEf722Jvel8SnzH0EDfgk2GVkdmdsdWxvY2FsaG9zdA==
> User-Agent: curl/7.29.0
> Host: rpms.remirepo.net
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Via: 1.1 ISAEG
Via: 1.1 ISAEG
< Content-Length: 7611
Content-Length: 7611
< Date: Fri, 20 May 2016 05:38:29 GMT
Date: Fri, 20 May 2016 05:38:29 GMT
< Content-Type: application/x-rpm
Content-Type: application/x-rpm
< Server: Apache/2.2.15 (CentOS)
Server: Apache/2.2.15 (CentOS)
< Last-Modified: Wed, 09 Dec 2015 09:15:19 GMT
Last-Modified: Wed, 09 Dec 2015 09:15:19 GMT
< ETag: "d82bb3-1dbb-52673877157c0"
ETag: "d82bb3-1dbb-52673877157c0"
< Accept-Ranges: bytes
Accept-Ranges: bytes

< 
* Connection #0 to host 172.18.4.7 left intact

Comment 2 Mikhail 2016-05-20 09:34:08 UTC
$ export

declare -x http_proxy="http://east-kronospan\\edvglu:niva4x4\$\$\$@172.18.4.7:8080"
declare -x https_proxy="http://east-kronospan\\edvglu:niva4x4\$\$\$@172.18.4.7:8080"

Comment 3 Tomáš Hozza 2016-05-20 14:08:55 UTC
From the man page:

       --http-user=user
       --http-password=password
           Specify the username user and password password on an HTTP server.  According to the type of the challenge, Wget will encode them using either the "basic"
           (insecure), the "digest", or the Windows "NTLM" authentication scheme.

           Another way to specify username and password is in the URL itself.  Either method reveals your password to anyone who bothers to run "ps".  To prevent the
           passwords from being seen, store them in .wgetrc or .netrc, and make sure to protect those files from other users with "chmod".  If the passwords are really
           important, do not leave them lying in those files either---edit the files and delete them after Wget has started the download.


This means you should use --http-user and --http-password to specify the credentials for the proxy.

The http{,s}_proxy environment variables are used for getting the proxy URL, but not the username and password.

Please retest with the --http-user and --http-password options

Comment 4 Mikhail 2016-05-21 10:09:33 UTC
You don't tell me about escape characters so I don't know how here correct write '\' and '$' symbols.  so I tried both variants:

[root@sinuf1 synergy]# wget -v --http-user=east-kronospan\\edvglu --http-password=niva4x4\$\$\$ http://rpms.remirepo.net/enterprise/remi-release-7.rpm
--2016-05-21 15:58:05--  http://rpms.remirepo.net/enterprise/remi-release-7.rpm
Connecting to 172.18.4.7:8080... connected.
Proxy request sent, awaiting response... 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  )
2016-05-21 15:58:05 ERROR 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  ).

[root@sinuf1 synergy]# wget -v --http-user=east-kronospan\edvglu --http-password=niva4x4$$$ http://rpms.remirepo.net/enterprise/remi-release-7.rpm
--2016-05-21 15:58:54--  http://rpms.remirepo.net/enterprise/remi-release-7.rpm
Connecting to 172.18.4.7:8080... connected.
Proxy request sent, awaiting response... 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  )
2016-05-21 15:58:54 ERROR 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  ).

As you see this is also not work for me.

Comment 5 Mikhail 2016-05-21 10:14:44 UTC
Created attachment 1160090 [details]
/etc/wgetrc

Comment 6 Mikhail 2016-05-21 10:15:22 UTC
And also I try store password in wgetrc file without success too

Comment 9 Tomáš Hozza 2019-12-18 09:24:40 UTC
Red Hat Enterprise Linux version 7 entered the Maintenance Support 1 Phase in August 2019. In this phase only qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate.

This bug has been reviewed by Support and Engineering representative and does not meet the inclusion criteria for Maintenance Support 1 Phase.

For more information about Red Hat Enterprise Linux Lifecycle, please see https://access.redhat.com/support/policy/updates/errata/

Comment 10 RHEL Program Management 2019-12-18 09:24:48 UTC
Development Management has reviewed and declined this request. You may appeal this decision by using your Red Hat support channels, who will make certain  the issue receives the proper prioritization with product and development management.

https://www.redhat.com/support/process/production/#howto