LINICKX.com

Wi-Fi (Broadcom BCM4331) for an old iMac (iMac13,1) in 2026

Nick Bettison — Sun, 11 Jan 2026 19:36:00 +0000

My Christmas project this year was to make my old 2012 iMac work; previously I have used OpenCore Legacy Patcher to keep MacOS going but that was become less useable -- Enter Linux! This note is specifically geared towards OpenSUSE Tumbleweed, but is hopefully helpful for anyone trying similar with any other distro.

TLDR;

Install b43-fwcutter
Download broadcom-wl-6.30.163.46.tar.bz2
sudo b43-fwcutter -w /usr/lib/firmware broadcom-wl-6.30.163.46.wl_apsta.o
Reboot & Hope!

Long form

Booting from the tumbleweed ISO/USB worked well, obviously the bluetooth keyboard/mouse don't work, but bluetooth is detected and will work later. Wi-Fi is not detected at all, an Ethernet cable was required to get networking up. Upon completing the install, I started to investigate how to fix Wi-Fi. On Tumbleweed, the pullin-bcm43xx-firmware package provides /usr/sbin/install_bcm43xx_firmware however, even tho it "runs", it has an error and Wi-Fi still doesn't work and the reason is because www.lwfinger.com/b43-firmware/ no longer exists.

Browsing the internet archive, I found a working snapshot for 8th July 2024: https://web.archive.org/web/20240708013600/http://www.lwfinger.com/b43-firmware/

Steps:

Download broadcom-wl-6.30.163.46.tar.bz2
If it's not installed, you'll need b43-fwcutter, so sudo zypper install b43-fwcutter.
Unpack the archive: tar -xjf broadcom-wl-6.30.163.46.tar.bz2
Install the driver: sudo b43-fwcutter -w /usr/lib/firmware broadcom-wl-6.30.163.46.wl_apsta.o
Reboot ... there's probably a way to avoid the reboot by restating Network Manager, but whatever!

After the reboot, you should see the WLAN adapter available.

Closing thoughts.

I am hosting a copy of the driver here, incase the archive goes down: www.linickx.com/files/2026/01/broadcom-wl-6.30.163.46.tar.bz2. For me, the driver only seems to be working on 2.4Ghz, even tho' the BCM4331 support 5Ghz 802.11a 🤷🏻‍♂️ ... and performance seems to be a poor 5Mb/s. But for now, I'm on with this as my plan is to use the iMac as a kinda distraction free SSH or Writing terminal; perhaps I can fix that later and update here.

If anyone knows how to get the nVidia driver working please hit me up as I'm having to manually tweak the screen brightness with each reboot.

Home Assistant on KVM - Disable Secure Boot

Nick Bettison — Sun, 21 Sep 2025 13:48:00 +0100

The documentation for running HAOS on KVM is pretty good but not enough for me, in fairness it state that Secure Boot is not supported, but the clues given to disable that are a little cryptic, this post are my notes.

Preface: Some personal tweaks.

I used the virt-install command given, but the default tries to connect to the console -- which without secure boot disabled is just a blank screen, so --noautoconsole is needed.

Also, I don't have a default network, all my VM's are on a bridge interface which means I also need --network bridge=br0

So, my final install command looks like:

virt-install --name haos --description "Home Assistant OS" --os-variant=generic --ram=4096 --vcpus=2 --disk /opt/haos/haos_ova-16.2.qcow2,bus=scsi --controller type=scsi,model=virtio-scsi --import --graphics none --boot uefi --network bridge=br1 --noautoconsole

( Change your disk path as necessary )

Now: To disable secure boot.

You VM is probably running, but not working, shut it down with sudo virsh shutdown haos it might be stuck, so you might have to use sudo virsh destroy hasos to forcefully kill it.

Now run sudo virsh edit haos, this should open an XML like this screenshot:

It doesn't matter if it's not exactly the same, your hypervisor might have selected a different EFI firmware. Next steps:

Change enrolled-keys to no
Change secure-boot to no
👉🏼 Delete the line starting with <loader readonly='yes' ...
👉🏼 Delete the line starting with <nvram template= ...
Save

The final XML snippet should look something like:

<os firmware='efi'>
    <type arch='x86_64' machine='pc-i440fx-10.0'>hvm</type>
    <firmware>
      <feature enabled='no' name='enrolled-keys'/>
      <feature enabled='no' name='secure-boot'/>
    </firmware>
    <boot dev='hd'/>
</os>

First boot: Reset nvram.

After making the above changes, when you start (power-on) the machine for the first time you need to get KVM to select a new firmware, so run:

virsh start haos --reset-nvram

After that's been done once, then normal start should work, even autostart.

Done!

I use cockpit to manage my KVMs, this is what it looks like! 😊

References:

https://libvirt.org/kbase/secureboot.html#changing-an-existing-vm
https://www.home-assistant.io/installation/alternative#hypervisor-specific-configuration

Building Custom RUT240 Teltonika Packages

Nick Bettison — Sun, 22 Nov 2020 14:41:00 +0000

I'm in the process of trying to see if I can get DNS over HTTPS working, my forum post didn't provide a direct answer therefore I'm going to document the build/compile/install process, at time of writing I'm not 100% sure if the package is going to work or meet my requirements but there's little infomation avilable on this topic that I figure this post will help someone!

Some comments on the Teltonika RUT240

The RUT240 is a niftly little box, 2x Ethernet Ports, 2.4Ghz WiFi and 4G.
The marketing material describes the Operating system as: "RutOS (OpenWrt based Linux OS)". Which is accurate, but there's a little detail, the verion of OpenWRT that RutOS is based on is 15.05.1 "Chaos Calmer" released in 2015 and last updated in 2016, so although the RUT240 featurelist is very impressive, under the hood there's some old tech.
Some googling suggests that you can re-flash some Teltonika boxes with the latest OpenWRT however you are flash/storage dependent, the RUT240 doesn't have enough storage space to do this.

A word of Warning!

Back in the day, I used to build RPM packages from sourse for RHEL and this process can quickly become dependency hell, be mindful of effort Vs reward as this packaging lark can be a bit of a rabbit hole!

Building

Given that I haven't gotten DOH working yet, I'm going to document a simple example and upgrade curl & ca-bundle (the version of wget that comes with Rutos is compiled without HTTPS so this is going to be useful!)

To get started you need Ubuntu 16.04, one option is to build yourself a virtal machine, I'm going to use docker:

$ docker run -it ubuntu:16.04
root@17da442b8e85:/# cd
root@7f2c92d1ed06:~#

Note: Docker by default starts the shell in / type cd to do everything in the $HOME directory (/root)

Ubuntu isn't ready to build stuff, install the developer packages with these commands:

apt-get update; apt install subversion g++ zlib1g-dev build-essential git python python3 libncurses5-dev gawk gettext unzip file libssl-dev wget libelf-dev ecj fastjar java-propose-classpath rsync swig time python3-setuptools libncursesw5-dev ccache xsltproc vim tree

At this point, you can download the Chaos Calmer source code:

git clone https://github.com/openwrt/chaos_calmer.git

This will create a chaos_calmer folder in /root that will be your build environment.

To update curl, I'm going to step up one version of firmware from 15.05.1 to 17.01 Lede; the reason I'm not going to latest & greatest is to reduce the risk that curl has a dependenciy that needs updating, and so-one and so-forth.

Curl is part of the firmware, i.e. not in packages repo so download the older branch:

git clone -b lede-17.01 https://github.com/openwrt/openwrt.git; mv openwrt lede-17.01-openwrt

Then replace the old package like so:

rm -fr ~/chaos_calmer/package/network/utils/curl
cp -av ~/lede-17.01-openwrt/package/network/utils/curl ~/chaos_calmer/package/network/utils/

To build ca-bundle I could clone the whole lede packages repo and copy the files, however this package includes certificates which are date bound, so I'm going to be forced to go latest & greatest, and looking at looking at the package we only need one file, so let's just update that:

cd chaos_calmer/package/system/ca-certificates/  
rm Makefile
wget  https://raw.githubusercontent.com/openwrt/openwrt/master/package/system/ca-certificates/Makefile
cd ~/chaos_calmer

Before building, according Teltonika you need to update the Makefile of your package and add in some RUTOS specifics...

vi package/network/utils/curl/Makefile

Somewhere near the top of the file, insert this..

PKG_ROUTER:=RUT240
PKG_FIRMWARE:=01.12.3
PKG_TLT_NAME:=curl
PKG_VERSION_PM:=1.0

NOTE: If you're running later firmware, update as applicable.

And again for ca-certificates

vi package/system/ca-certificates/Makefile

Update lie this...

PKG_ROUTER:=RUT240
PKG_FIRMWARE:=01.12.3
PKG_TLT_NAME:=ca-certificates
PKG_VERSION_PM:=1.0

Next step, is to run make menuconfig

... and select your package (press spacebar to make an M appear), if you don't do this you'll have issue with later commands:

Base sytem -> CA Certificates

Network -> File Transfer -> Curl

Exit and save the config. You are ready to build & setup the enrviornment, be warned this will take a long time to run!

make tools/install
make toolchain/install

If all has gone well, you'll be back at the prompt and it's time to start building your packages, start with your depnedencies:

make package/ca-certificates/compile
make package/ca-certificates/install
make package/curl/compile
make package/curl/install

IF that finished without error, then the packages should be built in your bin directory...

root@40e297a4fa8d:~/chaos_calmer# tree bin/
bin/
`-- ar71xx
    `-- packages
        |-- base
        |   |-- ca-bundle_20200601-1_all.ipk
        |   |-- libcurl_7.52.1-10_ar71xx.ipk

Copy & Install

Now all that's left is to copy & install the files. Since we built them in a docker container, step 1 is to get them out. First find your container ID:

$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
40e297a4fa8d        ubuntu:16.04        "/bin/bash"         16 hours ago        Up 16 hours                             serene_leakey
$

My ID is 40e297a4fa8d so that's the name of the server in the docker cp command, which looks like this...

$ docker cp 40e297a4fa8d:/root/chaos_calmer/bin/ar71xx/packages/base/ca-bundle_20200601-1_all.ipk .

Rename the file as recommended by Teltonika...

$ mv ca-bundle_20200601-1_all.ipk tlt_custom_pkg_ca-bundle_20200601-1_all.ipk

And then do a simple SSH Copy (SCP) to your router...

$ scp tlt_custom_pkg_ca-bundle_20200601-1_all.ipk root@192.168.1.1:~/
tlt_custom_pkg_ca-bundle_20200601-1_all.ipk                                                                                                                               100%  114KB 113.1KB/s   00:01    
$

Finally, SSH onto your router and install with: opkg install ./tlt_custom_pkg_ca-bundle_20200601-1_all.ipk for the ca-bundle and repeat for Curl!

End

This may or may not be the official Teltonika way of doing things so your milage may vary!

References:

https://wiki.teltonika-networks.com/view/RUT240_Package_Manager#Custom_package_upload
https://openwrt.org/docs/guide-developer/single.package

snmpwalk v3 and snmpget v3 examples

Nick Bettison — Sat, 01 Apr 2017 15:22:00 +0100

I always forget the syntax for snmpwalk/snmpget v3; so posting here to remember.

snmpwalk version 3

The command is: snmpwalk -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50

Example output:

[nick@server ~]$  snmpwalk -v3  -l authPriv -u snmp-poller -a SHA -A "PASSWORD1"  -x AES -X "PASSWORD1" 10.10.60.50
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Adaptive Security Appliance Version 9.6(2)11
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.1199
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (201155400) 23 days, 6:45:54.00
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: fw01.local
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 4
IF-MIB::ifNumber.0 = INTEGER: 1
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifDescr.1 = STRING: Adaptive Security Appliance 'v101' interface
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifMtu.1 = INTEGER: 1500
IF-MIB::ifSpeed.1 = Gauge32: 1000000000
IF-MIB::ifPhysAddress.1 = STRING: aa:11:22:33:44:55
IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifLastChange.1 = Timeticks: (6600) 0:01:06.00
IF-MIB::ifInOctets.1 = Counter32: 56388261
IF-MIB::ifInUcastPkts.1 = Counter32: 316701
...
[nick@server ~]$

snmpget version 3

A command for just getting the hostname: snmpget -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50 sysName.0

Example output:

[nick@server ~]$ snmpget -v3  -l authPriv -u snmp-poller -a SHA -A "PASSWORD1"  -x AES -X "PASSWORD1" 10.10.60.50 sysName.0
SNMPv2-MIB::sysName.0 = STRING: fw01.local
[nick@server ~]$

A command for getting the hostname and the uptime: snmpget -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50 sysName.0 system.sysUpTime.0

Example output:

[nick@server ~]$ snmpget -v3  -l authPriv -u snmp-poller -a SHA -A "PASSWORD1"  -x AES -X "PASSWORD1" 10.10.60.50 sysName.0 system.sysUpTime.0
SNMPv2-MIB::sysName.0 = STRING: fw01.local
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (14100) 0:02:21.00
[nick@server ~]$

These tests are on a Cisco ASA.

This is the ASA snmp v3 config used:

snmp-server group the-noc v3 priv
snmp-server user snmp-poller the-noc v3 auth sha PASSWORD1 priv aes 128 PASSWORD1
snmp-server host v101 10.10.62.100 version 3 snmp-poller

I've used the same password for authentication & encryption to make it easy. The username is "snmp-poller", the source of my polling is "10.10.61.100", the group "the-noc" is for if you have more than one user account.

Automated Let's Encrypt Certificates

Nick Bettison — Tue, 05 Apr 2016 17:01:00 +0100

Last month I was very pleased that I had managed an automated Let's Encrypt certificate renewal; the other night the renewal broke as the certificate was issued from a different intermediate CA, so help others out I thought I'd share with you my cron script.

Before copy/pasting this script, you need to get started with tiny acme. I also recommend you read this post by Scott Heleme as it walks through the end-to-end process.

Once you're all setup, you can use something like the below script on a monthly basis (update paths for your environment and the email address):

#!/bin/bash
echo "----------------------"
echo "Start:" `date`

# Backup
cp -v /home/letsencrypt/priv/signed.crt /home/letsencrypt/priv/old/signed_$(date +%F).crt
cp -v /home/letsencrypt/priv/chained.pem /home/letsencrypt/priv/old/chained_$(date +%F).crt

# Renewal
python /home/letsencrypt/bin/letsencrypt_tiny.py --account-key /home/letsencrypt/priv/my.key --csr /home/letsencrypt/priv/my.csr --letsencrypt-dir /home/letsencrypt/challenges/ > /home/letsencrypt/priv/signed.crt 

# Find Issuer
ISSUER=`openssl x509 -noout -issuer -in /home/letsencrypt/priv/signed.crt | awk 'NF>1{print $NF}'`

echo "Certificate issued by $ISSUER"

case $ISSUER in
    X1)
        ISSUER_CERT="https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem"
        ;;
    X2)
        ISSUER_CERT="https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem"
        ;;
    X3)
        ISSUER_CERT="https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
        ;;
    X4)
        ISSUER_CERT="https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem"
        ;;
    *)
        echo -e "Undefined Intermediate CA - Please fix /home/letsencrypt/bin/letsencrypt.sh - Failed to match Intermediate CA $ISSUER not found" | mail -s "LE Renewal Error" "changeme_at_gmail_dot_com"
        echo "** Error: Failed to match Intermediate CA $ISSUER not found **"
        cp -v /home/letsencrypt/priv/old/chained_$(date +%F).crt /home/letsencrypt/priv/chained.pem
        exit
    ;;
esac

# Download Intermetdiate CA Cert
echo "Cert URL: $ISSUER_CERT"
wget -O - $ISSUER_CERT > /home/letsencrypt/priv/intermediate.pem

# Build Chain
cat /home/letsencrypt/priv/signed.crt /home/letsencrypt/priv/intermediate.pem > /home/letsencrypt/priv/chained.pem

# Restart nginx to install the cert
sudo service nginx reload
echo "End:" `date`

Things to note if the renewal breaks:

It doesn't retry. Look at adding this smart renewal script to your daily cron: https://github.com/ScottHelme/Lets-Encrypt-Smart-Renew/
It emails you and puts the old certificate chain back (then quits)

pip install crassh

Nick Bettison — Sun, 14 Feb 2016 11:23:00 +0000

Recently myself (and a maybe colleague or two) has been copy/pasting parts of C.R.A.SSH (crassh) my python script for automating commands on Cisco IOS devices into personal scripts to get something done; knowing there must be a better a way I decided to turn crassh into a module which can/should be easy to install on linux or OSX systems with pip. PIP is a python (cross platform) package manager that now crassh is available in, i.e. pip install crassh

Below is an output from my machine, as you can see pip will install any necessary dependencies:

$ pip install crassh
Collecting crassh
  Downloading CraSSH-2.02.tar.gz
Collecting paramiko>=1.10 (from crassh)
  Using cached paramiko-1.16.0-py2.py3-none-any.whl
Collecting pycrypto!=2.4,>=2.1 (from paramiko>=1.10->crassh)
Collecting ecdsa>=0.11 (from paramiko>=1.10->crassh)
  Using cached ecdsa-0.13-py2.py3-none-any.whl
Building wheels for collected packages: crassh
  Running setup.py bdist_wheel for crassh
Successfully built crassh
Installing collected packages: pycrypto, ecdsa, paramiko, crassh
Successfully installed crassh-2.2 ecdsa-0.13 paramiko-1.16.0 pycrypto-2.6.1
$

I'm about to start work on some proper documentation , but to get you started there are four functions that most people will want/use:

crassh.connect()
crassh.send_command()
crassh.disconnect()
crassh.readtxtfile()

The first three are self explanatory, the last one is very useful as it'll read in a plain text file (one line at at time) and use it as an array, typically the plain text file would be a list of IP address to connect to or a list of commands to execute.

To show how crassh can be used, below is a simple example to audit to switches for the SNMP community string public - A security no-no!

#!/usr/bin/env python
# coding=utf-8

import crassh

# Variables
routers = ["10.159.83.135", "10.159.83.136"]
username = "nick"
password = "nick"

# Loop
for device in routers:

    hostname = crassh.connect(device, username, password)
    output = crassh.send_command("show run | inc snmp-server community", hostname)
    crassh.disconnect()

    # Split the output by spaces so we can search the response
    words = output.split()

    # Look for "public" in the output
    for x in words:
        if x == "public":
            print("DANGER: Public SNMP Community set on %s [%s]" % (hostname, device))

I've saved the file as no_public.py and this is the response...

$ python no_public.py 
Connecting to 10.159.83.135 ... 
Connecting to 10.159.83.136 ... 
DANGER: Public SNMP Community set on r2 [10.159.83.136]
$

Obviously you could do a lot more than just output but hopefully this'll give you an idea.

NOTE: Instead of routers being an array, I could have done routers = crassh.readtxtfile("./routers.txt") where routers.txt was a plain text file with one IP address per line.

Alpine Linux Raspberry Pi and Wireless (WiFi) firmware

Nick Bettison — Tue, 09 Feb 2016 17:41:00 +0000

Pidora doesn't appear to be being maintained anymore and CentOS/Fedora support for the Pi appears to be focused on the version 2 hardware, so I've been looking for an alternative distro. I'm very early on in my experimentation with docker, and docker is not in anyway related to my Pi, but since the unofficial announcement that they were moving away from Ubuntu to to Alpine Linux, I thought that's was as good a distro to try as any... funny how we're influenced by the media.

The Alpine Linux Raspberry Pi install guide is insanely easy, unpack the files onto a single disk partition, no fricking around with partitions, no dd just unpack and boot! The Alpine WiFi guide isn't bad either but IMHO isn't complete as I couldn't start the wpa_supplicant service:

pi # /etc/init.d/wpa_supplicant start
 * Starting WPA Supplicant Daemon ...
Successfully initialized wpa_supplicant
Could not set interface wlan0 flags (UP): Resource temporarily unavailable
nl80211: Could not set interface 'wlan0' UP
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
wlan0: Failed to initialize driver interface
 * start-stop-daemon: failed to start `/sbin/wpa_supplicant'
 * Failed to start wpa_supplicant 
 * ERROR: wpa_supplicant failed to start
pi #

A quick poke at /var/log/messages reveals that the service is missing firmware:

kern.info kernel: [33264.393174] ieee80211 phy0: rt2x00lib_request_firmware: Info - Loading firmware file 'rt2870.bin'
kern.warn kernel: [33264.393356] rt2800usb 1-1.4:1.0: Direct firmware load for rt2870.bin failed with error -2
kern.warn kernel: [33264.393377] rt2800usb 1-1.4:1.0: Falling back to user helper
daemon.err /etc/init.d/wpa_supplicant[2101]: start-stop-daemon: failed to start `/sbin/wpa_supplicant'
kern.err kernel: [33264.423493] ieee80211 phy0: rt2x00lib_request_firmware: Error - Failed to request Firmware
daemon.err /etc/init.d/wpa_supplicant[2083]: ERROR: wpa_supplicant failed to start

The USB WiFi Adapter I purchased has a lot of reviews saying "it just works" on various Pi distro's and it worked fine in pidora, so I figured that this driver was probably something generic. A few googles later and I find the Linux Kernel Firmware page and I find a copy of rt2870.bin which I place in /lib/firmware/.

After a little /etc/init.d/wpa_supplicant restart I have working WiFi!

The alpine documentation is clear, on a Pi the install is in disk-less mode and forces everything into memory, therefore I'm going to loose the firmware after a reboot. To make the change persistent, run lbu include /lib/firmware/rt2870.bin;lbu commit... give it a reboot, and cross your fingers!

CentOS7 - syslog-ng: Error setting capabilities, capability management disabled; error=Operation not permitted

Nick Bettison — Wed, 23 Dec 2015 12:13:00 +0000

I've just installed syslog-ng from epel onto a test CentOS7 box and found that the service wouldn't start, a quick verify of my syslog-ng.conf, with syslog-ng -s came back like so...

syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'

The debain fix suggests something like: syslog-ng -no-caps -s, which seems to work. What is odd is that /usr/lib/systemd/system/syslog-ng.service doesn't have it, but the service still seems to work once you've fixed and syntax errors!

Cisco NTP Authentication to Linux Server

Nick Bettison — Wed, 27 May 2015 14:10:00 +0100

NTP Authentication is a recommended best security practice; there are a lot of documents out there on how to setup NTP authentication between two Cisco IOS devices but anything between Cisco and LINUX is few and far between.

I have setup a LINUX Server (Redhat/CentOS) box, that will act as an upstream proxy to pool.ntp.org. NTP authentication will be enabled on the LINUX box so that the downstream Cisco IOS box (router/switch) can be configured with authentication.

CentOS Server config

Start with installing and starting NTP.

sudo yum install ntpd
sudo systemctl start  ntpd.service

... don't forget to open the firewall...

sudo firewall-cmd --permanent --zone=public --add-port=123/udp

Next, add a key to /etc/ntp/keys...

# For more information about this file, see the man page ntp_auth(5).
#
# id    type    key
1 M Cisco123

What I've done here is, add a key with id 1 that is type MD5 (authentication), the key is Cisco123

Now, setup /etc/ntp.conf, below is an example of a minimal config (with comments removed, backup your original).

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

restrict 1.1.1.0 mask 255.255.255.252 nomodify notrap
restrict 2.2.2.0 mask 255.255.255.252 nomodify notrap

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

keys /etc/ntp/keys
trustedkey 1

disable monitor

Take note of two things.

trustedkey 1 must match the ID in /etc/ntp/keys
restrict 1.1.1.0 mask 255.255.255.252 nomodify notrap this says that any client (i.e IOS router) in the 1.1.1.0/30 network can query out CentOS time server

Restart NTP to make the changes effective.

sudo systemctl restart  ntpd.service

Use ntpq to check its working...

[nick@CentOS7 ~]$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp1.as34288.ne 85.158.25.72     2 u   31   64  377   56.363  -52.207  15.576
+ntp.coreless.ne 77.40.226.114    2 u   30   64  377   64.117  -45.444  10.966
-fra94-1-78-193- 212.83.158.83    3 u   23   64  377   42.197  -44.928  10.275
+dn3t.de         129.69.1.153     2 u   98   64  376   44.418  -42.061   7.436
[nick@CentOS7 ~]$

Don't move onto the IOS box until ntpq shows a * next to one of the upstream servers. You need clocks sync'd on the linux box before the IOS one will work. It should take at least 5 minutes to sync up; if you are having issues, manually set the linux clock to within a minute and restart the NTP service.

Cisco IOS Config

My Cisco router is 1.1.1.1, my linux server is 1.1.1.2, make sure both boxes can ping each other ;-)

The router config is...

ntp authentication-key 1 md5 Cisco123
ntp trusted-key 1
ntp server 1.1.1.2 key 1
ntp authenticate

Take note of the order! I wasted loads of time troubleshooting the debug error NTP Core(INFO): 1.1.1.2 C01C 8C bad_auth no key because the command order is fussy

You can check it's working with the show ntp association commands... notice on the detailed version is says authenticated

R1#show ntp as

  address         ref clock       st   when   poll reach  delay  offset   disp
*~1.1.1.2         81.94.123.17     3     41     64     7 16.017  -4.263  1.893
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp as detail
1.1.1.2 configured, ipv4, authenticated, our_master, sane, valid, stratum 3
ref ID 81.94.123.17   , time D9104931.F7121393 (13:46:25.965 UTC Wed May 27 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 56.70 msec, root disp 63.87, reach 7, sync dist 6302.70
delay 16.01 msec, offset -4.2633 msec, dispersion 1.89, jitter 6199.94 msec
precision 2**24, version 4
assoc id 42451, assoc name 1.1.1.2
assoc in packets 40, assoc out packets 42, assoc error packets 0
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rec time D91049C8.3C62C714 (13:48:56.235 UTC Wed May 27 2015)
xmt time D91049C8.3C62C714 (13:48:56.235 UTC Wed May 27 2015)
filtdelay =   107.76   51.78   16.01   19.97   23.99   19.84   32.00   43.89
filtoffset = 16398.9   76.43   -4.26   -1.38   22.31   27.85   22.48    8.67
filterror =     0.00    0.99    1.87    1.90    1.93    1.96    1.99    2.02
minpoll = 6, maxpoll = 10

R1#

Footnote

NTP authentication is one way, the client authenticates the response from the server, so authentication is optional.

I also have another router (2.2.2.2) talking to the CentOS linux server (1.1.1.2) with a default config....

ntp server 1.1.1.2

And it works just fine...

R2#show ntp as

  address         ref clock       st   when   poll reach  delay  offset   disp
*~1.1.1.2         81.94.123.17     3     18     64     1 39.632  -1.911 187.61
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R2#
R2#
R2#show ntp as det
1.1.1.2 configured, ipv4, our_master, sane, valid, stratum 3
ref ID 81.94.123.17   , time D9104B06.F4F12334 (13:54:14.956 UTC Wed May 27 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 47.43 msec, root disp 55.89, reach 1, sync dist 322.40
delay 39.63 msec, offset -1.9110 msec, dispersion 187.61, jitter 34.98 msec
precision 2**24, version 4
assoc id 48023, assoc name 1.1.1.2
assoc in packets 8, assoc out packets 8, assoc error packets 0
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rec time D9104B96.A0AFE3F2 (13:56:38.627 UTC Wed May 27 2015)
xmt time D9104B96.A0AFE3F2 (13:56:38.627 UTC Wed May 27 2015)
filtdelay =    76.05   48.05   39.83   56.03   39.85   39.63    0.00    0.00
filtoffset =   64.31   33.05    5.55   17.13  -11.56   -1.91    0.00    0.00
filterror =     0.00    0.03    0.06    0.09    0.12    0.15 16000.0 16000.0
minpoll = 6, maxpoll = 10

R2#

So make sure your clients have authentication enabled.

RPM SPECS for Python CiscoConfParse

Nick Bettison — Mon, 30 Mar 2015 15:59:00 +0100

Recently I have been using ciscoconfparse to loop through Cisco configs, installing on my local laptop is straightforward with pip however getting it onto a customers linux jump server can be a bit more tricky (proxies, build deps and the like).

For Redhat/Centos (6) boxes I found an out of date .src.rpm therefore I have updated the SPEC file:

python-ciscoconfparse.spec

I have made two changes, I updated to the ciscoconfparse 1.2.16 and added the python-ipaddr dependency.

To build your own yo will also need:

python-setuptools_hg.spec

The only change I have made there is to add the correct download URL to the Source so that it build without the human having to put the package in the right directory.... other than that all other build deps should be in the standard base repositories.

Building them is straight forward with rebuild -ba, I have an old post here... fedora have a much more comprehensive one here... I haven't uploaded pre-built RPMs to my repo as I haven't found the need to for years, maybe this is a good excuse to resurrect it!