This module defines a reusable grouping for SSH servers that can be used as a basis for specific SSH server instances. The key ...
Version: 2024-10-10
module ietf-ssh-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; prefix sshs; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import iana-crypt-hash { prefix ianach; reference "RFC 7317: A YANG Data Model for System Management"; } import ietf-netconf-acm { prefix nacm; reference "RFC 8341: Network Configuration Access Control Model"; } import ietf-crypto-types { prefix ct; reference "RFC 9640: YANG Data Types and Groupings for Cryptography"; } import ietf-truststore { prefix ts; reference "RFC 9641: A YANG Data Model for a Truststore"; } import ietf-keystore { prefix ks; reference "RFC 9642: A YANG Data Model for a Keystore"; } import ietf-ssh-common { prefix sshcmn; reference "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: https://datatracker.ietf.org/wg/netconf WG List: NETCONF WG list <mailto:netconf@ietf.org> Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; description "This module defines a reusable grouping for SSH servers that can be used as a basis for specific SSH server instances. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9644 (https://www.rfc-editor.org/info/rfc9644); see the RFC itself for full legal notices."; revision "2024-10-10" { description "Initial version."; reference "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; } feature ssh-server-keepalives { description "SSH keepalive parameters are configurable for SSH servers on the server implementing this feature."; } feature local-users-supported { description "Indicates that the configuration for users can be configured herein, as opposed to in an application- specific location."; } feature local-user-auth-publickey { if-feature local-users-supported; description "Indicates that the 'publickey' authentication type, per RFC 4252, is supported for locally defined users. The 'publickey' authentication type is required by RFC 4252, but common implementations allow it to be disabled."; reference "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; } feature local-user-auth-password { if-feature local-users-supported; description "Indicates that the 'password' authentication type, per RFC 4252, is supported for locally defined users."; reference "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; } feature local-user-auth-hostbased { if-feature local-users-supported; description "Indicates that the 'hostbased' authentication type, per RFC 4252, is supported for locally defined users."; reference "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; } feature local-user-auth-none { if-feature local-users-supported; description "Indicates that the 'none' authentication type, per RFC 4252, is supported. It is NOT RECOMMENDED to enable this feature."; reference "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; } grouping ssh-server-grouping { description "A reusable grouping for configuring an SSH server without any consideration for how underlying TCP sessions are established. Note that this grouping uses fairly typical descendant node names such that a nesting of 'uses' statements will have name conflicts. It is intended that the consuming data model will resolve the issue (e.g., by wrapping the 'uses' statement in a container called 'ssh-server-parameters'). This model purposely does not do this itself so as to provide maximum flexibility to consuming models."; container server-identity { nacm:default-deny-write; description "The list of host keys the SSH server will present when establishing an SSH connection."; list host-key { key "name"; min-elements 1; ordered-by user; description "An ordered list of host keys (see RFC 4251) the SSH server will use to construct its ordered list of algorithms when sending its SSH_MSG_KEXINIT message, as defined in Section 7.1 of RFC 4253."; reference "RFC 4251: The Secure Shell (SSH) Protocol Architecture RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; leaf name { type string; description "An arbitrary name for this host key."; } choice host-key-type { mandatory true; description "The type of host key being specified."; container public-key { description "A locally defined or referenced asymmetric key pair to be used for the SSH server's host key."; reference "RFC 9642: A YANG Data Model for a Keystore"; uses ks:inline-or-keystore-asymmetric-key-grouping { refine inline-or-keystore/inline/inline-definition { must 'not(public-key-format) or derived-from-or-self' + '(public-key-format, "ct:ssh-public-key-format")'; } refine inline-or-keystore/central-keystore/central-keystore-reference { must 'not(deref(.)/../ks:public-key-format) or ' + 'derived-from-or-self(deref(.)/../ks:public-' + 'key-format, "ct:ssh-public-key-format")'; } } } // container public-key container certificate { if-feature sshcmn:ssh-x509-certs; description "A locally defined or referenced end-entity certificate to be used for the SSH server's host key."; reference "RFC 9642: A YANG Data Model for a Keystore"; uses ks:inline-or-keystore-end-entity-cert-with-key-grouping { refine inline-or-keystore/inline/inline-definition { must 'not(public-key-format) or derived-from-or-self' + '(public-key-format, "ct:subject-public-key-' + 'info-format")'; } refine inline-or-keystore/central-keystore/central-keystore-reference/asymmetric-key { must 'not(deref(.)/../ks:public-key-format) or ' + 'derived-from-or-self(deref(.)/../ks:public-key' + '-format, "ct:subject-public-key-info-format")'; } } } // container certificate } // choice host-key-type } // list host-key } // container server-identity container client-authentication { nacm:default-deny-write; description "Specifies how the SSH server can be configured to authenticate SSH clients. See RFC 4252 for a general discussion about SSH authentication."; reference "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; container users { if-feature local-users-supported; description "A list of locally configured users."; list user { key "name"; description "A locally configured user. The server SHOULD derive the list of authentication 'method names' returned to the SSH client from the descendant nodes configured herein, per Sections 5.1 and 5.2 of RFC 4252. The authentication methods are unordered. Clients must authenticate to all configured methods. Whenever a choice amongst methods arises, implementations SHOULD use a default ordering that prioritizes automation over human interaction."; leaf name { type string; description "The 'username' for the SSH client, as defined in the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; reference "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; } container public-keys { if-feature local-user-auth-publickey; presence "Indicates that public keys have been configured. This statement is present so the mandatory descendant nodes do not imply that this node must be configured."; description "A set of SSH public keys may be used by the SSH server to authenticate this user. A user is authenticated if its public key is an exact match to a configured public key."; reference "RFC 9641: A YANG Data Model for a Truststore"; uses ts:inline-or-truststore-public-keys-grouping { refine inline-or-truststore/inline/inline-definition/public-key { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } refine inline-or-truststore/central-truststore/central-truststore-reference { must 'not(deref(.)/../ts:public-key/ts:public-key-' + 'format[not(derived-from-or-self(., "ct:ssh-' + 'public-key-format"))])'; } } } // container public-keys container password { description "A password the SSH server may use to authenticate this user. A user is authenticated if the hash of the supplied password matches this value."; leaf hashed-password { if-feature local-user-auth-password; type ianach:crypt-hash; description "The password for this user."; } leaf last-modified { type yang:date-and-time; config false; description "Identifies when the password was last set."; } } // container password container hostbased { if-feature local-user-auth-hostbased; presence "Indicates that host-based (RFC 4252) keys have been configured. This statement is present so the mandatory descendant nodes do not imply that this node must be configured."; description "A set of SSH host keys used by the SSH server to authenticate this user's host. A user's host is authenticated if its host key is an exact match to a configured host key."; reference "RFC 4252: The Secure Shell (SSH) Authentication Protocol RFC 9641: A YANG Data Model for a Truststore"; uses ts:inline-or-truststore-public-keys-grouping { refine inline-or-truststore/inline/inline-definition/public-key { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } refine inline-or-truststore/central-truststore/central-truststore-reference { must 'not(deref(.)/../ts:public-key/ts:public-key-' + 'format[not(derived-from-or-self(., "ct:ssh-' + 'public-key-format"))])'; } } } // container hostbased leaf none { if-feature local-user-auth-none; type empty; description "Indicates that the 'none' method is configured for this user."; reference "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; } } // list user } // container users container ca-certs { if-feature sshcmn:ssh-x509-certs; presence "Indicates that CA certificates have been configured. This statement is present so the mandatory descendant nodes do not imply this node must be configured."; description "A set of Certification Authority (CA) certificates used by the SSH server to authenticate SSH client certificates. A client certificate is authenticated if it has a valid chain of trust to a configured CA certificate."; reference "RFC 9641: A YANG Data Model for a Truststore"; uses ts:inline-or-truststore-certs-grouping; } // container ca-certs container ee-certs { if-feature sshcmn:ssh-x509-certs; presence "Indicates that EE certificates have been configured. This statement is present so the mandatory descendant nodes do not imply this node must be configured."; description "A set of client certificates (i.e., end-entity certificates) used by the SSH server to authenticate the certificates presented by SSH clients. A client certificate is authenticated if it is an exact match to a configured end-entity certificate."; reference "RFC 9641: A YANG Data Model for a Truststore"; uses ts:inline-or-truststore-certs-grouping; } // container ee-certs } // container client-authentication container transport-params { nacm:default-deny-write; if-feature sshcmn:transport-params; description "Configurable parameters of the SSH transport layer."; uses sshcmn:transport-params-grouping; } // container transport-params container keepalives { nacm:default-deny-write; if-feature ssh-server-keepalives; presence "Indicates that the SSH server proactively tests the aliveness of the remote SSH client."; description "Configures the keepalive policy to proactively test the aliveness of the SSH client. An unresponsive SSH client is dropped after approximately max-wait * max-attempts seconds. Per Section 4 of RFC 4254, the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST message with a purposely nonexistent 'request name' value (e.g., keepalive@example.com) and the 'want reply' value set to '1'."; reference "RFC 4254: The Secure Shell (SSH) Connection Protocol"; leaf max-wait { type uint16 { range "1..max"; } units "seconds"; default "30"; description "Sets the amount of time in seconds after which an SSH-level message will be sent to test the aliveness of the SSH client if no data has been received from the SSH client."; } leaf max-attempts { type uint8; default "3"; description "Sets the maximum number of sequential keepalive messages that can fail to obtain a response from the SSH client before assuming the SSH client is no longer alive."; } } // container keepalives } // grouping ssh-server-grouping } // module ietf-ssh-server
© 2024 YumaWorks, Inc. All rights reserved.