module ietf-ssh-server {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
prefix "sshs";
import ietf-ssh-common {
prefix sshcmn;
revision-date 2018-10-22; // stable grouping definitions
reference
"RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
}
import ietf-trust-anchors {
prefix ta;
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
import ietf-keystore {
prefix ks;
reference
"RFC ZZZZ:
YANG Data Model for a Centralized Keystore Mechanism";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
Author: Gary Wu
";
description
"This module defines a reusable grouping for a SSH server that
can be used as a basis for specific SSH server instances.
Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision "2018-10-22" {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
}
// features
feature ssh-server-transport-params-config {
description
"SSH transport layer parameters are configurable on an SSH
server.";
}
// groupings
grouping ssh-server-grouping {
description
"A reusable grouping for configuring a SSH server without
any consideration for how underlying TCP sessions are
established.";
uses server-identity-grouping;
uses client-auth-grouping;
uses transport-params-grouping;
}
grouping server-identity-grouping {
description
"A reusable grouping for configuring an SSH server identity.";
container server-identity {
description
"The list of host-keys the SSH server will present when
establishing a SSH connection.";
list host-key {
key name;
min-elements 1;
ordered-by user;
description
"An ordered list of host keys the SSH server will use to
construct its ordered list of algorithms, when sending
its SSH_MSG_KEXINIT message, as defined in Section 7.1
of RFC 4253.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer
Protocol";
leaf name {
type string;
description
"An arbitrary name for this host-key";
}
choice host-key-type {
mandatory true;
description
"The type of host key being specified";
container public-key {
uses ks:local-or-keystore-asymmetric-key-grouping;
description
"A locally-defined or referenced asymmetric key pair
to be used for the SSH server's host key.";
reference
"RFC ZZZZ: YANG Data Model for a Centralized
Keystore Mechanism";
}
container certificate {
if-feature sshcmn:ssh-x509-certs;
uses
ks:local-or-keystore-end-entity-cert-with-key-grouping;
description
"A locally-defined or referenced end-entity
certificate to be used for the SSH server's
host key.";
reference
"RFC ZZZZ: YANG Data Model for a Centralized
Keystore Mechanism";
}
}
}
} // end server-identity
} // end server-identity-grouping
grouping client-auth-grouping {
description
"A reusable grouping for configuring a SSH client
authentication.";
container client-cert-auth {
if-feature sshcmn:ssh-x509-certs;
description
"A reference to a list of pinned certificate authority (CA)
certificates and a reference to a list of pinned client
certificates.
Note: password and public-key based client authentication
are not configured in this YANG module as they are
expected to be configured by the ietf-system module
defined in RFC 7317.";
reference
"RFC 7317: A YANG Data Model for System Management";
leaf pinned-ca-certs {
if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref;
description
"A reference to a list of certificate authority (CA)
certificates used by the SSH server to authenticate
SSH client certificates. A client certificate is
authenticated if it has a valid chain of trust to
a configured pinned CA certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
leaf pinned-client-certs {
if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref;
description
"A reference to a list of client certificates used by
the SSH server to authenticate SSH client certificates.
A clients certificate is authenticated if it is an
exact match to a configured pinned client certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
}
} // end client-auth-grouping
grouping transport-params-grouping {
description
"A reusable grouping for configuring a SSH transport
parameters.";
container transport-params {
if-feature ssh-server-transport-params-config;
description
"Configurable parameters of the SSH transport layer.";
uses sshcmn:transport-params-grouping;
}
} // end transport-params-grouping
}