{"id":15693784,"url":"https://github.com/ethomson/ntlmclient","last_synced_at":"2025-06-10T08:34:51.301Z","repository":{"id":47546432,"uuid":"121685810","full_name":"ethomson/ntlmclient","owner":"ethomson","description":"A POSIX implementation of NTLM2 client authentication. 😭","archived":false,"fork":false,"pushed_at":"2024-10-18T22:27:12.000Z","size":279,"stargazers_count":8,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-08T06:48:48.858Z","etag":null,"topics":["ntlm","ntlm2"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ethomson.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-15T21:37:58.000Z","updated_at":"2025-03-07T03:11:24.000Z","dependencies_parsed_at":"2023-12-21T21:30:11.282Z","dependency_job_id":"8696caac-3b54-490a-9380-4bf4c13ce7a1","html_url":"https://github.com/ethomson/ntlmclient","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ethomson%2Fntlmclient","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ethomson%2Fntlmclient/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ethomson%2Fntlmclient/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ethomson%2Fntlmclient/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ethomson","download_url":"https://codeload.github.com/ethomson/ntlmclient/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ethomson%2Fntlmclient/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259038796,"owners_count":22796701,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ntlm","ntlm2"],"created_at":"2024-10-03T18:48:52.725Z","updated_at":"2025-06-10T08:34:51.269Z","avatar_url":"https://github.com/ethomson.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"ntlmclient\n==========\n[![CI](https://github.com/ethomson/ntlmclient/workflows/CI/badge.svg)](https://github.com/ethomson/ntlmclient/actions?query=workflow%3ACI) [![Coverity Build Status](https://scan.coverity.com/projects/15510/badge.svg?flat=1)](https://scan.coverity.com/projects/15510)\n\nntlmclient is a pure C library that supports NTLM2 authentication for\nPOSIX systems.  It is generally used to support authentication to\nWindows-based servers that do not enable other authentication\nalgorithms.\n\n🚨🚨🚨 NTLM2 support should be deprecated 🚨🚨🚨\n\nThis library is provided for compatibility with systems that do not offer\nany other authentication algorithms.  NTLM2 is often enabled because it\nprovides simple, integrated access to Windows systems, often called \"single\nsign-on\".  This allows authentication to remote systems with the currently\nlogged-in user credentials, without users being forced to re-enter their\npassword.  While convenient, NTLM2 is built on outdated cryptographic\nsystems and should not be preferred.\n\nFor \"single sign-on\" support, you should instead prefer\n[Kerberos](https://en.wikipedia.org/wiki/Kerberos_(protocol)), as it\nis an industry standard built on modern ciphers.  If you do not require\nsingle sign-on, using a simple authentication mechanism like HTTP Basic\nis adequate, provided the connection is encrypted with transport layer\nsecurity.\n\nThis library is provided since many systems are configured to support\nauthentication using _only_ NTLM2.  Not all systems can upgrade to\nKerberos.\n\n**Regardless, you should be providing security at the transport layer,\nusing IPsec or HTTPS.**\n\nBackground\n----------\nNTLM is a \"challenge/response\" authentication mechanism that allows a\nserver to authenticate a client without it having to provide the actual\npassword.  Briefly:\n\n1. The client creates an initial NTLM authentication negotiation message,\n   called a \"negotiation\" message (sometimes called a \"Type 1\" message).\n\n   The ntlmclient library returns the negotiation message as a raw stream\n   of bytes.  If you require the message in base64 format (for example,\n   to use with [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) over HTTPS),\n   then you must encode it before sending it over the HTTPS connection.\n\n2. The remote server will respond with a \"challenge\" message (sometimes\n   called a \"Type 2\" message).  This message includes capabilities and\n   information from the remote server that ntlmclient will use to\n   complete authentication.\n\n   The ntlmclient library expects the challenge message as a raw stream\n   of bytes.  If it was provided to you in base64 format (for example,\n   over HTTP) then you must decode it before providing it to the library.\n\n3. The client creates the final message, a \"response\" message (sometimes\n   called a \"Type 3\" message).  This message includes a hash of the\n   challenge that was given to the client, using the password as a key.\n   Given this message, the server will decide whether authentication\n   succeeded or failed.\n\n   Like the other messages, the response message is a raw stream of bytes\n   and should be encoded as base64, if necessary.\n\nGetting Started\n---------------\nYou should read the [full\ndocumentation](https://ethomson.github.io/ntlmclient/#HEAD), but a simple\nusage example is:\n\n1. Initialize the NTLM client context.  You can specify option flags, or\n   pass `NTLM_CLIENT_DEFAULTS` (or `0`) to the option flags argument to\n   accept the defaults.\n\n\n   ```c\n   ntlm_client *ntlm;\n\n   /* Create an NTLM client context, using the default options.  This\n    * will return an NTLM context on success, or NULL on failure.\n    */\n   if ((ntlm = ntlm_client_init(NTLM_CLIENT_DEFAULTS)) == NULL) {\n       /* Can only fail on out of memory. */\n       fprintf(stderr, \"out of memory\");\n       exit(1);\n   }\n   ```\n\n2. Set the local hostname, the user's credentials to authenticate with,\n   and the authentication \"target\" (the name of the remote machine).\n   The strings provided are expected to be in UTF-8.\n\n   (Functions return `0` on success and non-zero on error.)\n\n   ```c\n   if (ntlm_client_set_hostname(ntlm, \"hostname\", \"DOMAIN\") != 0 ||\n       ntlm_client_set_credentials(ntlm, \"user\", \"DOMAIN\", \"secret\") != 0) {\n       ntlm_client_set_target(ntlm, \"SERVER\") != 0) {\n       /* Get the error message from the NTLM context. */\n       fprintf(stderr, \"%s\\n\", ntlm_client_get_errmsg());\n       exit(1);\n   }\n   ```\n\n3. Compute the negotiate message and deliver it to the server.\n\n   ```c\n   const unsigned char *negotiate_msg;\n   size_t negotiate_len;\n\n   if (ntlm_client_negotiate(\u0026negotiate_msg, \u0026negotiate_len, ntlm) != 0) {\n       fprintf(stderr, \"%s\\n\", ntlm_client_get_errmsg());\n       exit(1);\n   }\n\n   /* For HTTP, base64 encode the negotiate message. */\n   ```\n\n4. Read the challenge message from the server, provide it to the library.\n\n   ```c\n   /*\n    * Read the NTLM challenge message from the remote host.  For HTTP,\n    * this will be in the `Authorization` header, following the SPNEGO\n    * mechanism name (\"NTLM\" or \"Negotiate\"), and should be base64 decoded.\n    */\n\n   if (ntlm_client_parse_challenge(ntlm, challenge, challenge_len) != 0) {\n       fprintf(stderr, \"%s\\n\", ntlm_client_get_errmsg());\n       exit(1);\n   }\n   ```\n\n5. Compute the response message and deliver it to the server.\n\n   ```\n   const unsigned char *response;\n   size_t response_len;\n\n   if (ntlm_client_response(\u0026response, \u0026response_len, ntlm) != 0) {\n       fprintf(stderr, \"%s\\n\", ntlm_client_get_errmsg());\n       exit(1);\n   }\n\n   /*\n    * For HTTP, base64 encode the response message and set it as the\n    * `WWW-Authenticate` header.\n    */\n   ```\n\n6. Determine if authentication has succeeded; for example, for HTTP\n   transports, the server will return a `401` when authentication fails.\n   In a failure, you should restart the authentication process, either\n   with a new authentication context, or after calling:\n\n   ```\n   ntlm_client_reset(ntlm);\n   ```\n\n7. Free the NTLM context.\n\n   ```\n   ntlm_client_free(ntlm);\n   ```\n\nSupport\n-------\nntlmclient supports:\n\n* NTLM2 authentication\n  This is the most recent \"single sign-on\" authentication mechanism\n  that Microsoft developed before adopting Kerberos.  This system provides\n  authentication without actually transmitting the password.  However, it\n  relies on outdated encryption algorithms, so this mechanism should not\n  be used without transport encryption (IPsec, TLS, etc).\n\n* LM and NTLM authentication (optionally)\n  These are older \"single sign-on\" authentication mechanisms and rely\n  on weaker encryption algorithms.  Most Windows systems (client and\n  server) have disabled both LM and NTLM in favor of NTLM2.  Generally,\n  these should not be used.  And even more than NTLM2, these should\n  **never** be used without transport encryption.\n\n* macOS and Linux Support\n  Cryptographic primitives are provided by\n  [CommonCrypto](https://developer.apple.com/security/) on macOS, and\n  [OpenSSL](https://www.openssl.org) or [mbedTLS](https://tls.mbed.org/)\n  on non-macOS platforms.\n\n  Unicode functionality (UTF8 to UTF16 conversion) is provided by\n  [iconv](https://en.wikipedia.org/wiki/Iconv) when available, falling\n  back to conversion routines provided by Unicode, Inc.\n\nWhat's Not Supported\n--------------------\nntlmclient does _not_ support:\n\n* Session Security\n  NTLM \"session security\", or \"signing and sealing\" is a message signature\n  and encryption scheme.  Key exchange is performed during the NTLM\n  authentication process.  There is no support for this; it should be\n  not be used, and should be deprecated in favor of TLS.\n\n* Windows Support\n  ntlmclient is POSIX-only.  Windows users are encouraged to use the\n  [system's NTLM support](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375506(v=vs.85).aspx).\n\nFurther Reading\n---------------\n[MS-NLMP: NT LAN Manager (NTLM) Authentication Protocol\nSpecification](https://msdn.microsoft.com/en-us/library/cc207842.aspx)\nMicrosoft's published specification of the NTLM authentication\nprotocol.\n\n[The NTLM Authentication Protocol and Security Support\nProvider](http://davenport.sourceforge.net/ntlm.html)\nAn independent reference of the NTLM authentication system, based on the\nresearch from the Samba team and used as the basis for jCIFS.\n\n[Simple and Protected GSSAPI Negotiation Mechanism\n(SPNEGO)](https://en.wikipedia.org/wiki/SPNEGO)\nThe HTTP authentication mechanism for NTLM and Kerberos.\n\nLicense\n---------\nntlmclient is released under the MIT license.  This software is based on\nthe NTLM2 implementation in [Microsoft Team Explorer\nEverywhere](https://github.com/microsoft/team-explorer-everywhere).\n\nSee the [license file](LICENSE.txt) for the full license text.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fethomson%2Fntlmclient","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fethomson%2Fntlmclient","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fethomson%2Fntlmclient/lists"}