--- /dev/null
+module ietf-ssh-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
+ prefix sshs;
+
+ import ietf-ssh-common {
+ prefix sshcmn;
+ revision-date 2019-07-02;
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC ZZZZ: A YANG Data Model for a Keystore";
+ }
+ import iana-crypt-hash {
+ prefix ianach;
+ reference
+ "RFC 7317: A YANG Data Model for System Management";
+ }
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+ description
+ "This module defines reusable groupings for SSH servers that
+ can be used as a basis for specific SSH server instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-07-02 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ feature ssh-server-transport-params-config {
+ description
+ "SSH transport layer parameters are configurable on an SSH
+ server.";
+ }
+
+ feature ssh-server-keepalives {
+ description
+ "Per socket SSH keepalive parameters are configurable for
+ SSH servers on the server implementing this feature.";
+ }
+
+ feature local-client-auth-supported {
+ description
+ "Indicates that the SSH server supports local configuration
+ of client credentials.";
+ }
+
+ feature external-client-auth-supported {
+ description
+ "Indicates that the SSH server supports external configuration
+ of client credentials.";
+ }
+
+ grouping ssh-server-grouping {
+ description
+ "A reusable grouping for configuring a SSH server without
+ any consideration for how underlying TCP sessions are
+ established.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'ssh-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+ container server-identity {
+ nacm:default-deny-write;
+ description
+ "The list of host-keys the SSH server will present when
+ establishing a SSH connection.";
+ list host-key {
+ key "name";
+ min-elements 1;
+ ordered-by user;
+ description
+ "An ordered list of host keys the SSH server will use to
+ construct its ordered list of algorithms, when sending
+ its SSH_MSG_KEXINIT message, as defined in Section 7.1
+ of RFC 4253.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this host-key";
+ }
+ choice host-key-type {
+ mandatory true;
+ description
+ "The type of host key being specified";
+ container public-key {
+ description
+ "A locally-defined or referenced asymmetric key pair
+ to be used for the SSH server's host key.";
+ reference
+ "RFC ZZZZ: YANG Data Model for a Centralized
+ Keystore Mechanism";
+ uses ks:local-or-keystore-asymmetric-key-grouping;
+ }
+ container certificate {
+ if-feature "sshcmn:ssh-x509-certs";
+ description
+ "A locally-defined or referenced end-entity
+ certificate to be used for the SSH server's
+ host key.";
+ reference
+ "RFC ZZZZ: YANG Data Model for a Centralized
+ Keystore Mechanism";
+ uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
+ }
+ }
+ }
+ }
+ container client-authentication {
+ nacm:default-deny-write;
+ description
+ "Specifies if SSH client authentication is required or
+ optional, and specifies if the SSH client authentication
+ credentials are configured locally or externally.";
+ container supported-authentication-methods {
+ description
+ "Indicates which authentication methods the server
+ supports.";
+ leaf publickey {
+ type empty;
+ description
+ "Indicates that the 'publickey' method is supported.
+ Note that RFC 6187 X.509v3 Certificates for SSH uses
+ the 'publickey' method name.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.
+ RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication.";
+ }
+ leaf passsword {
+ type empty;
+ description
+ "Indicates that the 'password' method is supported.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ leaf hostbased {
+ type empty;
+ description
+ "Indicates that the 'hostbased' method is supported.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ leaf none {
+ type empty;
+ description
+ "Indicates that the 'none' method is supported.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ leaf-list other {
+ type string;
+ description
+ "Indicates a supported method name not defined by
+ RFC 4253.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ }
+ choice local-or-external {
+ description
+ "Indicates if the client credentials are configured
+ locally or externally.";
+ case local {
+ if-feature "local-client-auth-supported";
+ description
+ "Client credentials are configured locally.";
+ container users {
+ description
+ "A list of locally configured users.";
+ list user {
+ key "name";
+ description
+ "The list of local users configured on this device.";
+ leaf name {
+ type string;
+ description
+ "The user name string identifying this entry.";
+ }
+ leaf password {
+ type ianach:crypt-hash;
+ description
+ "The password for this entry.";
+ }
+ list authorized-key {
+ key "name";
+ description
+ "A list of public SSH keys for this user. These
+ keys are allowed for SSH authentication, as
+ described in RFC 4253.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the SSH key.";
+ }
+ leaf algorithm {
+ type string;
+ mandatory true;
+ description
+ "The public key algorithm name for this SSH key.
+
+ Valid values are the values in the IANA 'Secure
+ Shell (SSH) Protocol Parameters' registry,
+ Public Key Algorithm Names.";
+ reference
+ "IANA 'Secure Shell (SSH) Protocol Parameters'
+ registry, Public Key Algorithm Names";
+ }
+ leaf key-data {
+ type binary;
+ mandatory true;
+ description
+ "The binary public key data for this SSH key, as
+ specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ }
+ }
+ }
+ }
+ }
+ case external {
+ if-feature "external-client-auth-supported";
+ description
+ "Client credentials are configured externally, such
+ as via RADIUS, RFC 7317, or another mechanism.";
+ leaf client-auth-defined-elsewhere {
+ type empty;
+ description
+ "Indicates that client credentials are configured
+ elsewhere.";
+ }
+ }
+ }
+ }
+ container transport-params {
+ nacm:default-deny-write;
+ if-feature "ssh-server-transport-params-config";
+ description
+ "Configurable parameters of the SSH transport layer.";
+ uses sshcmn:transport-params-grouping;
+ }
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "ssh-server-keepalives";
+ presence "Indicates that keepalives are enabled.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the SSL client. An unresponsive SSL
+ client is dropped after approximately max-wait *
+ max-attempts seconds.";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which
+ if no data has been received from the SSL client,
+ a SSL-level message will be sent to test the
+ aliveness of the SSL client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the SSL client before assuming the SSL client is
+ no longer alive.";
+ }
+ }
+ }
+}
\ No newline at end of file
Code Review / ccsdk / features.git / blobdiff