How to use authentication with negiotiation (e.g. Kerberos) to HTTP proxy?

Generally accepted is the use of HTTP_PROXY/HTTPS_PROXY environment variables to specify the use of a proxy server. Authentication can be included in this URL, e.g. HTTP_PROXY=http://user:pass@myproxy.mydomain.tld:3128/ . However, I am using Kerberos SSO to authenticate with the proxy. How do I configure that? So, suppose a Squid proxy server configuration as described here: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos . It describes how Windows clients can use proxy authentication with negotiation, but there's no information how I can configure Linux/Unix clients. For cURL, the use of --proxy-negotiate -u : does the trick, e.g.: HTTPS_PROXY=http://myproxy.mydomain.tld:3128/ curl --proxy-negotiate -u : https://www.google.com How do I tell non-cURL applications to use this mechanism? E.g. Debian/Ubuntu APT with Acquire::http::Proxy "http://myproxy.mydomain.tld:3128/ ";? I found [cntlm](http://manpages.ubuntu.com/manpages/xenial/man1/cntlm.1.html) which acts as another locally running proxy in the middle, facilitating unauthenticated connections from localhost. However, this only works with NTLM, where I need Kerberos. Would Squid be able to connect as a client using Kerberos perhaps? It seems notoriously hard to find authentication capabilities on the *outgoing* connection of proxy servers. All seem to focus on authentication features on the *listening socket* instead.