commit 68404fd546a50f696afb9bca72080aca93fa4195
author roman <xjanot04@fit.vutbr.cz> Mon Jul 24 10:40:59 2023 +0200
committer Michal Vasko <mvasko@cesnet.cz> Fri Nov 03 15:03:11 2023 +0100
tree 37cb0e1f9b348c761f84962155a6cecdbddb2d27
parent 9ce2407b3c14e1ccbd612df62dc034fa46d7a751

config UPDATE add auth attempts and timeout

Also moved around some functions, so the order of their definitions
makes more sense.

src/config_new_ssh.c

diff --git a/src/config_new_ssh.c b/src/config_new_ssh.c
index d3c3d57..6f09c92 100644
--- a/src/config_new_ssh.c
+++ b/src/config_new_ssh.c
@@ -181,6 +181,639 @@
     }
 }
 
+API int
+nc_server_config_new_ch_ssh_keystore_reference(const struct ly_ctx *ctx, const char *client_name,
+        const char *endpt_name, const char *hostkey_name, const char *keystore_reference, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, hostkey_name, keystore_reference, 1);
+    NC_CHECK_ARG_RET(NULL, config, 1);
+
+    return nc_config_new_create(ctx, config, keystore_reference, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/"
+            "host-key[name='%s']/public-key/keystore-reference", client_name, endpt_name, hostkey_name);
+}
+
+API int
+nc_server_config_new_ch_ssh_del_keystore_reference(const char *client_name, const char *endpt_name,
+        const char *hostkey_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, hostkey_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/"
+            "host-key[name='%s']/public-key/keystore-reference", client_name, endpt_name, hostkey_name);
+}
+
+API int
+nc_server_config_new_ssh_keystore_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *hostkey_name,
+        const char *keystore_reference, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, hostkey_name, keystore_reference, config, 1);
+
+    return nc_config_new_create(ctx, config, keystore_reference, "/ietf-netconf-server:netconf-server/listen/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/host-key[name='%s']/public-key/"
+            "keystore-reference", endpt_name, hostkey_name);
+}
+
+API int
+nc_server_config_new_ssh_del_keystore_reference(const char *endpt_name, const char *hostkey_name,
+        struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/host-key[name='%s']/public-key/"
+            "keystore-reference", endpt_name, hostkey_name);
+}
+
+API int
+nc_server_config_new_ssh_auth_attempts(const struct ly_ctx *ctx, const char *endpt_name, uint16_t auth_attempts,
+        struct lyd_node **config)
+{
+    int ret = 0;
+    char *attempts_buf = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
+
+    /* uint to str */
+    if (asprintf(&attempts_buf, "%u", auth_attempts) == -1) {
+        ERRMEM;
+        attempts_buf = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, attempts_buf, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/libnetconf2-netconf-server:auth-attempts", endpt_name);
+
+cleanup:
+    free(attempts_buf);
+    return ret;
+}
+
+API int
+nc_server_config_new_ssh_auth_timeout(const struct ly_ctx *ctx, const char *endpt_name, uint16_t auth_timeout,
+        struct lyd_node **config)
+{
+    int ret = 0;
+    char *timeout_buf = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
+
+    /* uint to str */
+    if (asprintf(&timeout_buf, "%u", auth_timeout) == -1) {
+        ERRMEM;
+        timeout_buf = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, timeout_buf, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/libnetconf2-netconf-server:auth-timeout", endpt_name);
+
+cleanup:
+    free(timeout_buf);
+    return ret;
+}
+
+API int
+nc_server_config_new_ch_ssh_auth_attempts(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        uint16_t auth_attempts, struct lyd_node **config)
+{
+    int ret = 0;
+    char *attempts_buf = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, config, 1);
+
+    /* uint to str */
+    if (asprintf(&attempts_buf, "%u", auth_attempts) == -1) {
+        ERRMEM;
+        attempts_buf = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, attempts_buf, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "libnetconf2-netconf-server:auth-attempts", client_name, endpt_name);
+
+cleanup:
+    free(attempts_buf);
+    return ret;
+}
+
+API int
+nc_server_config_new_ch_ssh_auth_timeout(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        uint16_t auth_timeout, struct lyd_node **config)
+{
+    int ret = 0;
+    char *timeout_buf = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, config, 1);
+
+    /* uint to str */
+    if (asprintf(&timeout_buf, "%u", auth_timeout) == -1) {
+        ERRMEM;
+        timeout_buf = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, timeout_buf, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "libnetconf2-netconf-server:auth-timeout", client_name, endpt_name);
+
+cleanup:
+    free(timeout_buf);
+    return ret;
+}
+
+static int
+_nc_server_config_new_ssh_user_pubkey(const struct ly_ctx *ctx, const char *tree_path, const char *pubkey_path,
+        struct lyd_node **config)
+{
+    int ret = 0;
+    char *pubkey = NULL;
+    NC_PUBKEY_FORMAT pubkey_type;
+    const char *pubkey_format;
+
+    /* get pubkey data */
+    ret = nc_server_config_new_get_pubkey(pubkey_path, &pubkey, &pubkey_type);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* get pubkey format */
+    if (pubkey_type == NC_PUBKEY_FORMAT_SSH2) {
+        pubkey_format = "ietf-crypto-types:ssh-public-key-format";
+    } else {
+        pubkey_format = "ietf-crypto-types:subject-public-key-info-format";
+    }
+
+    ret = nc_config_new_create_append(ctx, tree_path, "public-key-format", pubkey_format, config);
+    if (ret) {
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create_append(ctx, tree_path, "public-key", pubkey, config);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(pubkey);
+    return ret;
+}
+
+API int
+nc_server_config_new_ssh_user_pubkey(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *user_name, const char *pubkey_name, const char *pubkey_path, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, pubkey_name, pubkey_path, 1);
+    NC_CHECK_ARG_RET(NULL, config, 1);
+
+    if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/inline-definition/"
+            "public-key[name='%s']", endpt_name, user_name, pubkey_name) == -1) {
+        ERRMEM;
+        path = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = _nc_server_config_new_ssh_user_pubkey(ctx, path, pubkey_path, config);
+    if (ret) {
+        ERR(NULL, "Creating new user's public key failed.");
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_new_ch_ssh_user_pubkey(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        const char *user_name, const char *pubkey_name, const char *pubkey_path, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, pubkey_name, 1);
+    NC_CHECK_ARG_RET(NULL, pubkey_path, config, 1);
+
+    if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']/public-keys/inline-definition/public-key[name='%s']", client_name,
+            endpt_name, user_name, pubkey_name) == -1) {
+        ERRMEM;
+        path = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = _nc_server_config_new_ssh_user_pubkey(ctx, path, pubkey_path, config);
+    if (ret) {
+        ERR(NULL, "Creating new user's public key failed.");
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_new_ssh_del_user_pubkey(const char *endpt_name, const char *user_name,
+        const char *pubkey_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
+
+    if (pubkey_name) {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+                "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/inline-definition/"
+                "public-key[name='%s']", endpt_name, user_name, pubkey_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+                "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/inline-definition/"
+                "public-key", endpt_name, user_name);
+    }
+}
+
+API int
+nc_server_config_new_ch_ssh_del_user_pubkey(const char *client_name, const char *endpt_name,
+        const char *user_name, const char *pubkey_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
+
+    if (pubkey_name) {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+                "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+                "users/user[name='%s']/public-keys/inline-definition/public-key[name='%s']", client_name,
+                endpt_name, user_name, pubkey_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+                "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+                "users/user[name='%s']/public-keys/inline-definition/public-key", client_name,
+                endpt_name, user_name);
+    }
+}
+
+static int
+_nc_server_config_new_ssh_user_password(const struct ly_ctx *ctx, const char *tree_path,
+        const char *password, struct lyd_node **config)
+{
+    int ret = 0;
+    char *hashed_pw = NULL;
+    const char *salt = "$6$idsizuippipk$";
+
+#ifdef HAVE_CRYPT_R
+    struct crypt_data cdata;
+#endif
+
+#ifdef HAVE_CRYPT_R
+    cdata.initialized = 0;
+    hashed_pw = crypt_r(password, salt, &data);
+#else
+    pthread_mutex_lock(&crypt_lock);
+    hashed_pw = crypt(password, salt);
+    pthread_mutex_unlock(&crypt_lock);
+#endif
+
+    if (!hashed_pw) {
+        ERR(NULL, "Hashing password failed.");
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create_append(ctx, tree_path, "password", hashed_pw, config);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    return ret;
+}
+
+API int
+nc_server_config_new_ssh_user_password(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *user_name, const char *password, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, password, config, 1);
+
+    if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
+            "client-authentication/users/user[name='%s']", endpt_name, user_name) == -1) {
+        ERRMEM;
+        path = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = _nc_server_config_new_ssh_user_password(ctx, path, password, config);
+    if (ret) {
+        ERR(NULL, "Creating new user's public key failed.");
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_new_ch_ssh_user_password(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        const char *user_name, const char *password, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, password, 1);
+    NC_CHECK_ARG_RET(NULL, config, 1);
+
+    if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']", client_name, endpt_name, user_name) == -1) {
+        ERRMEM;
+        path = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = _nc_server_config_new_ssh_user_password(ctx, path, password, config);
+    if (ret) {
+        ERR(NULL, "Creating new user's password failed.");
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_new_ssh_del_user_password(const char *endpt_name, const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/password", endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ch_ssh_del_user_password(const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']/password", client_name, endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ssh_user_none(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, config, 1);
+
+    return nc_config_new_create(ctx, config, NULL, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']/none", endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ch_ssh_user_none(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, config, 1);
+
+    return nc_config_new_create(ctx, config, NULL, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']/none", client_name, endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ssh_del_user_none(const char *endpt_name, const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/none", endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ch_ssh_del_user_none(const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']/none", client_name, endpt_name, user_name);
+}
+
+static int
+_nc_server_config_new_ssh_user_interactive(const struct ly_ctx *ctx, const char *tree_path,
+        const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
+{
+    int ret = 0;
+
+    ret = nc_config_new_create_append(ctx, tree_path, "pam-config-file-name", pam_config_name, config);
+    if (ret) {
+        goto cleanup;
+    }
+
+    if (pam_config_dir) {
+        ret = nc_config_new_create_append(ctx, tree_path, "pam-config-file-dir", pam_config_dir, config);
+        if (ret) {
+            goto cleanup;
+        }
+    }
+
+cleanup:
+    return ret;
+}
+
+API int
+nc_server_config_new_ssh_user_interactive(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, pam_config_name, config, 1);
+
+    if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
+            "client-authentication/users/user[name='%s']/"
+            "libnetconf2-netconf-server:keyboard-interactive", endpt_name, user_name) == -1) {
+        ERRMEM;
+        path = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = _nc_server_config_new_ssh_user_interactive(ctx, path, pam_config_name, pam_config_dir, config);
+    if (ret) {
+        ERR(NULL, "Creating new user's keyboard interactive nodes failed.");
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_new_ch_ssh_user_interactive(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, pam_config_name, 1);
+    NC_CHECK_ARG_RET(NULL, config, 1);
+
+    if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "libnetconf2-netconf-server:keyboard-interactive", client_name, endpt_name, user_name) == -1) {
+        ERRMEM;
+        path = NULL;
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = _nc_server_config_new_ssh_user_interactive(ctx, path, pam_config_name, pam_config_dir, config);
+    if (ret) {
+        ERR(NULL, "Creating new user's keyboard interactive nodes failed.");
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_new_ssh_del_user_interactive(const char *endpt_name, const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "libnetconf2-netconf-server:keyboard-interactive", endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ch_ssh_del_user_interactive(const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "libnetconf2-netconf-server:keyboard-interactive", client_name, endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ssh_del_user(const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    if (user_name) {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+                "ssh-server-parameters/client-authentication/users/user[name='%s']", endpt_name, user_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+                "ssh-server-parameters/client-authentication/users/user", endpt_name);
+    }
+}
+
+API int
+nc_server_config_new_ch_ssh_del_user(const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
+
+    if (user_name) {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+                "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']", client_name,
+                endpt_name, user_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+                "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user", client_name, endpt_name);
+    }
+}
+
+API int
+nc_config_new_ssh_endpoint_user_reference(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *referenced_endpt, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, referenced_endpt, config, 1);
+
+    return nc_config_new_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
+            "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
+}
+
+API int
+nc_config_new_ssh_del_endpoint_user_reference(const char *endpt_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
+            "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
+}
+
+API int
+nc_server_config_new_ssh_truststore_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *user_name,
+        const char *truststore_reference, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, truststore_reference, config, 1);
+
+    return nc_config_new_create(ctx, config, truststore_reference, "/ietf-netconf-server:netconf-server/listen/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
+            "truststore-reference", endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ch_ssh_truststore_reference(const struct ly_ctx *ctx, const char *client_name,
+        const char *endpt_name, const char *user_name, const char *truststore_reference, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, truststore_reference, 1);
+    NC_CHECK_ARG_RET(NULL, config, 1);
+
+    return nc_config_new_create(ctx, config, truststore_reference, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']/public-keys/truststore-reference", client_name, endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ssh_del_truststore_reference(const char *endpt_name, const char *user_name,
+        struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
+            "truststore-reference", endpt_name, user_name);
+}
+
+API int
+nc_server_config_new_ch_ssh_del_truststore_reference(const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
+            "users/user[name='%s']/public-keys/truststore-reference", client_name, endpt_name, user_name);
+}
+
 static int
 nc_server_config_new_ssh_transport_params_prep(const struct ly_ctx *ctx, const char *client_name,
         const char *endpt_name, struct lyd_node *config, struct lyd_node **new_tree, struct lyd_node **alg_tree)
@@ -620,534 +1253,3 @@
                 "endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/transport-params/mac", client_name, endpt_name);
     }
 }
-
-API int
-nc_server_config_new_ssh_del_user(const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
-
-    if (user_name) {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-                "ssh-server-parameters/client-authentication/users/user[name='%s']", endpt_name, user_name);
-    } else {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-                "ssh-server-parameters/client-authentication/users/user", endpt_name);
-    }
-}
-
-API int
-nc_server_config_new_ch_ssh_del_user(const char *client_name, const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
-
-    if (user_name) {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-                "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']", client_name,
-                endpt_name, user_name);
-    } else {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-                "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user", client_name, endpt_name);
-    }
-}
-
-static int
-_nc_server_config_new_ssh_user_pubkey(const struct ly_ctx *ctx, const char *tree_path, const char *pubkey_path,
-        struct lyd_node **config)
-{
-    int ret = 0;
-    char *pubkey = NULL;
-    NC_PUBKEY_FORMAT pubkey_type;
-    const char *pubkey_format;
-
-    /* get pubkey data */
-    ret = nc_server_config_new_get_pubkey(pubkey_path, &pubkey, &pubkey_type);
-    if (ret) {
-        goto cleanup;
-    }
-
-    /* get pubkey format */
-    if (pubkey_type == NC_PUBKEY_FORMAT_SSH2) {
-        pubkey_format = "ietf-crypto-types:ssh-public-key-format";
-    } else {
-        pubkey_format = "ietf-crypto-types:subject-public-key-info-format";
-    }
-
-    ret = nc_config_new_create_append(ctx, tree_path, "public-key-format", pubkey_format, config);
-    if (ret) {
-        goto cleanup;
-    }
-
-    ret = nc_config_new_create_append(ctx, tree_path, "public-key", pubkey, config);
-    if (ret) {
-        goto cleanup;
-    }
-
-cleanup:
-    free(pubkey);
-    return ret;
-}
-
-API int
-nc_server_config_new_ssh_user_pubkey(const struct ly_ctx *ctx, const char *endpt_name,
-        const char *user_name, const char *pubkey_name, const char *pubkey_path, struct lyd_node **config)
-{
-    int ret = 0;
-    char *path = NULL;
-
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, pubkey_name, pubkey_path, 1);
-    NC_CHECK_ARG_RET(NULL, config, 1);
-
-    if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/inline-definition/"
-            "public-key[name='%s']", endpt_name, user_name, pubkey_name) == -1) {
-        ERRMEM;
-        path = NULL;
-        ret = 1;
-        goto cleanup;
-    }
-
-    ret = _nc_server_config_new_ssh_user_pubkey(ctx, path, pubkey_path, config);
-    if (ret) {
-        ERR(NULL, "Creating new user's public key failed.");
-        goto cleanup;
-    }
-
-cleanup:
-    free(path);
-    return ret;
-}
-
-API int
-nc_server_config_new_ch_ssh_user_pubkey(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
-        const char *user_name, const char *pubkey_name, const char *pubkey_path, struct lyd_node **config)
-{
-    int ret = 0;
-    char *path = NULL;
-
-    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, pubkey_name, 1);
-    NC_CHECK_ARG_RET(NULL, pubkey_path, config, 1);
-
-    if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']/public-keys/inline-definition/public-key[name='%s']", client_name,
-            endpt_name, user_name, pubkey_name) == -1) {
-        ERRMEM;
-        path = NULL;
-        ret = 1;
-        goto cleanup;
-    }
-
-    ret = _nc_server_config_new_ssh_user_pubkey(ctx, path, pubkey_path, config);
-    if (ret) {
-        ERR(NULL, "Creating new user's public key failed.");
-        goto cleanup;
-    }
-
-cleanup:
-    free(path);
-    return ret;
-}
-
-API int
-nc_server_config_new_ssh_del_user_pubkey(const char *endpt_name, const char *user_name,
-        const char *pubkey_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
-
-    if (pubkey_name) {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-                "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/inline-definition/"
-                "public-key[name='%s']", endpt_name, user_name, pubkey_name);
-    } else {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-                "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/inline-definition/"
-                "public-key", endpt_name, user_name);
-    }
-}
-
-API int
-nc_server_config_new_ch_ssh_del_user_pubkey(const char *client_name, const char *endpt_name,
-        const char *user_name, const char *pubkey_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
-
-    if (pubkey_name) {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
-                "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-                "users/user[name='%s']/public-keys/inline-definition/public-key[name='%s']", client_name,
-                endpt_name, user_name, pubkey_name);
-    } else {
-        return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
-                "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-                "users/user[name='%s']/public-keys/inline-definition/public-key", client_name,
-                endpt_name, user_name);
-    }
-}
-
-static int
-_nc_server_config_new_ssh_user_password(const struct ly_ctx *ctx, const char *tree_path,
-        const char *password, struct lyd_node **config)
-{
-    int ret = 0;
-    char *hashed_pw = NULL;
-    const char *salt = "$6$idsizuippipk$";
-
-#ifdef HAVE_CRYPT_R
-    struct crypt_data cdata;
-#endif
-
-#ifdef HAVE_CRYPT_R
-    cdata.initialized = 0;
-    hashed_pw = crypt_r(password, salt, &data);
-#else
-    pthread_mutex_lock(&crypt_lock);
-    hashed_pw = crypt(password, salt);
-    pthread_mutex_unlock(&crypt_lock);
-#endif
-
-    if (!hashed_pw) {
-        ERR(NULL, "Hashing password failed.");
-        ret = 1;
-        goto cleanup;
-    }
-
-    ret = nc_config_new_create_append(ctx, tree_path, "password", hashed_pw, config);
-    if (ret) {
-        goto cleanup;
-    }
-
-cleanup:
-    return ret;
-}
-
-API int
-nc_server_config_new_ssh_user_password(const struct ly_ctx *ctx, const char *endpt_name,
-        const char *user_name, const char *password, struct lyd_node **config)
-{
-    int ret = 0;
-    char *path = NULL;
-
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, password, config, 1);
-
-    if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
-            "client-authentication/users/user[name='%s']", endpt_name, user_name) == -1) {
-        ERRMEM;
-        path = NULL;
-        ret = 1;
-        goto cleanup;
-    }
-
-    ret = _nc_server_config_new_ssh_user_password(ctx, path, password, config);
-    if (ret) {
-        ERR(NULL, "Creating new user's public key failed.");
-        goto cleanup;
-    }
-
-cleanup:
-    free(path);
-    return ret;
-}
-
-API int
-nc_server_config_new_ch_ssh_user_password(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
-        const char *user_name, const char *password, struct lyd_node **config)
-{
-    int ret = 0;
-    char *path = NULL;
-
-    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, password, 1);
-    NC_CHECK_ARG_RET(NULL, config, 1);
-
-    if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']", client_name, endpt_name, user_name) == -1) {
-        ERRMEM;
-        path = NULL;
-        ret = 1;
-        goto cleanup;
-    }
-
-    ret = _nc_server_config_new_ssh_user_password(ctx, path, password, config);
-    if (ret) {
-        ERR(NULL, "Creating new user's password failed.");
-        goto cleanup;
-    }
-
-cleanup:
-    free(path);
-    return ret;
-}
-
-API int
-nc_server_config_new_ssh_del_user_password(const char *endpt_name, const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-            "ssh-server-parameters/client-authentication/users/user[name='%s']/password", endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_del_user_password(const char *client_name, const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
-            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']/password", client_name, endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ssh_user_none(const struct ly_ctx *ctx, const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, config, 1);
-
-    return nc_config_new_create(ctx, config, NULL, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']/none", endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_user_none(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, config, 1);
-
-    return nc_config_new_create(ctx, config, NULL, "/ietf-netconf-server:netconf-server/call-home/"
-            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']/none", client_name, endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ssh_del_user_none(const char *endpt_name, const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-            "ssh-server-parameters/client-authentication/users/user[name='%s']/none", endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_del_user_none(const char *client_name, const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
-            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']/none", client_name, endpt_name, user_name);
-}
-
-static int
-_nc_server_config_new_ssh_user_interactive(const struct ly_ctx *ctx, const char *tree_path,
-        const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
-{
-    int ret = 0;
-
-    ret = nc_config_new_create_append(ctx, tree_path, "pam-config-file-name", pam_config_name, config);
-    if (ret) {
-        goto cleanup;
-    }
-
-    if (pam_config_dir) {
-        ret = nc_config_new_create_append(ctx, tree_path, "pam-config-file-dir", pam_config_dir, config);
-        if (ret) {
-            goto cleanup;
-        }
-    }
-
-cleanup:
-    return ret;
-}
-
-API int
-nc_server_config_new_ssh_user_interactive(const struct ly_ctx *ctx, const char *endpt_name,
-        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
-{
-    int ret = 0;
-    char *path = NULL;
-
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, pam_config_name, config, 1);
-
-    if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
-            "client-authentication/users/user[name='%s']/"
-            "libnetconf2-netconf-server:keyboard-interactive", endpt_name, user_name) == -1) {
-        ERRMEM;
-        path = NULL;
-        ret = 1;
-        goto cleanup;
-    }
-
-    ret = _nc_server_config_new_ssh_user_interactive(ctx, path, pam_config_name, pam_config_dir, config);
-    if (ret) {
-        ERR(NULL, "Creating new user's keyboard interactive nodes failed.");
-        goto cleanup;
-    }
-
-cleanup:
-    free(path);
-    return ret;
-}
-
-API int
-nc_server_config_new_ch_ssh_user_interactive(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
-        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
-{
-    int ret = 0;
-    char *path = NULL;
-
-    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, pam_config_name, 1);
-    NC_CHECK_ARG_RET(NULL, config, 1);
-
-    if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
-            "libnetconf2-netconf-server:keyboard-interactive", client_name, endpt_name, user_name) == -1) {
-        ERRMEM;
-        path = NULL;
-        ret = 1;
-        goto cleanup;
-    }
-
-    ret = _nc_server_config_new_ssh_user_interactive(ctx, path, pam_config_name, pam_config_dir, config);
-    if (ret) {
-        ERR(NULL, "Creating new user's keyboard interactive nodes failed.");
-        goto cleanup;
-    }
-
-cleanup:
-    free(path);
-    return ret;
-}
-
-API int
-nc_server_config_new_ssh_del_user_interactive(const char *endpt_name, const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
-            "ssh-server-parameters/client-authentication/users/user[name='%s']/"
-            "libnetconf2-netconf-server:keyboard-interactive", endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_del_user_interactive(const char *client_name, const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
-            "libnetconf2-netconf-server:keyboard-interactive", client_name, endpt_name, user_name);
-}
-
-API int
-nc_config_new_ssh_endpoint_user_reference(const struct ly_ctx *ctx, const char *endpt_name,
-        const char *referenced_endpt, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, referenced_endpt, config, 1);
-
-    return nc_config_new_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
-            "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
-}
-
-API int
-nc_config_new_ssh_del_endpoint_user_reference(const char *endpt_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
-            "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_keystore_reference(const struct ly_ctx *ctx, const char *client_name,
-        const char *endpt_name, const char *hostkey_name, const char *keystore_reference, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, hostkey_name, keystore_reference, 1);
-    NC_CHECK_ARG_RET(NULL, config, 1);
-
-    return nc_config_new_create(ctx, config, keystore_reference, "/ietf-netconf-server:netconf-server/call-home/"
-            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/"
-            "host-key[name='%s']/public-key/keystore-reference", client_name, endpt_name, hostkey_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_del_keystore_reference(const char *client_name, const char *endpt_name,
-        const char *hostkey_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, hostkey_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
-            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/"
-            "host-key[name='%s']/public-key/keystore-reference", client_name, endpt_name, hostkey_name);
-}
-
-API int
-nc_server_config_new_ssh_keystore_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *hostkey_name,
-        const char *keystore_reference, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, hostkey_name, keystore_reference, config, 1);
-
-    return nc_config_new_create(ctx, config, keystore_reference, "/ietf-netconf-server:netconf-server/listen/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/host-key[name='%s']/public-key/"
-            "keystore-reference", endpt_name, hostkey_name);
-}
-
-API int
-nc_server_config_new_ssh_del_keystore_reference(const char *endpt_name, const char *hostkey_name,
-        struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/server-identity/host-key[name='%s']/public-key/"
-            "keystore-reference", endpt_name, hostkey_name);
-}
-
-API int
-nc_server_config_new_ssh_truststore_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *user_name,
-        const char *truststore_reference, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, truststore_reference, config, 1);
-
-    return nc_config_new_create(ctx, config, truststore_reference, "/ietf-netconf-server:netconf-server/listen/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
-            "truststore-reference", endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_truststore_reference(const struct ly_ctx *ctx, const char *client_name,
-        const char *endpt_name, const char *user_name, const char *truststore_reference, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, truststore_reference, 1);
-    NC_CHECK_ARG_RET(NULL, config, 1);
-
-    return nc_config_new_create(ctx, config, truststore_reference, "/ietf-netconf-server:netconf-server/call-home/"
-            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']/public-keys/truststore-reference", client_name, endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ssh_del_truststore_reference(const char *endpt_name, const char *user_name,
-        struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
-            "truststore-reference", endpt_name, user_name);
-}
-
-API int
-nc_server_config_new_ch_ssh_del_truststore_reference(const char *client_name, const char *endpt_name,
-        const char *user_name, struct lyd_node **config)
-{
-    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
-
-    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
-            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/"
-            "users/user[name='%s']/public-keys/truststore-reference", client_name, endpt_name, user_name);
-}

src/server_config.h

diff --git a/src/server_config.h b/src/server_config.h
index 2687a4f..b53036a 100644
--- a/src/server_config.h
+++ b/src/server_config.h
@@ -250,6 +250,36 @@
         struct lyd_node **config);
 
 /**
+ * @brief Creates new YANG configuration data nodes for the maximum amount of failed SSH authentication attempts.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] endpt_name Arbitrary identifier of the endpoint.
+ * If an endpoint with this identifier already exists, its contents might be changed.
+ * @param[in] auth_attempts Maximum amount of failed SSH authentication attempts after which a
+ * client is disconnected. The default value is 3.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_ssh_auth_attempts(const struct ly_ctx *ctx, const char *endpt_name, uint16_t auth_attempts,
+        struct lyd_node **config);
+
+/**
+ * @brief Creates new YANG configuration data nodes for an SSH authentication timeout.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] endpt_name Arbitrary identifier of the endpoint.
+ * If an endpoint with this identifier already exists, its contents might be changed.
+ * @param[in] auth_timeout Maximum amount of time in seconds after which the authentication is deemed
+ * unsuccessful. The default value is 10.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_ssh_auth_timeout(const struct ly_ctx *ctx, const char *endpt_name, uint16_t auth_timeout,
+        struct lyd_node **config);
+
+/**
  * @brief Creates new YANG configuration data nodes for an SSH user's public key authentication method.
  *
  * @param[in] ctx libyang context.
@@ -1065,6 +1095,40 @@
         const char *hostkey_name, struct lyd_node **config);
 
 /**
+ * @brief Creates new YANG configuration data nodes for the maximum amount of failed Call-Home SSH authentication attempts.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] client_name Arbitrary identifier of the call-home client.
+ * If a call-home client with this identifier already exists, its contents will be changed.
+ * @param[in] endpt_name Arbitrary identifier of the client's endpoint.
+ * If the client's endpoint with this identifier already exists, its contents will be changed.
+ * @param[in] auth_attempts Maximum amount of failed SSH authentication attempts after which a
+ * client is disconnected. The default value is 3.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_ch_ssh_auth_attempts(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        uint16_t auth_attempts, struct lyd_node **config);
+
+/**
+ * @brief Creates new YANG configuration data nodes for a Call-Home SSH authentication timeout.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] client_name Arbitrary identifier of the call-home client.
+ * If a call-home client with this identifier already exists, its contents will be changed.
+ * @param[in] endpt_name Arbitrary identifier of the client's endpoint.
+ * If the client's endpoint with this identifier already exists, its contents will be changed.
+ * @param[in] auth_timeout Maximum amount of time in seconds after which the authentication is deemed
+ * unsuccessful. The default value is 10.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_ch_ssh_auth_timeout(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
+        uint16_t auth_timeout, struct lyd_node **config);
+
+/**
  * @brief Creates new YANG data nodes for a Call-Home SSH user's public key authentication method.
  *
  * @param[in] ctx libyang context.