modules/ietf-ssh-common@2023-04-17.yang - github/CESNET/libnetconf2 - Gitiles

 module ietf-ssh-common {
   yang-version 1.1;
   namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
   prefix sshcmn;

   import iana-ssh-encryption-algs {
     prefix sshea;
     reference
       "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
   }

   import iana-ssh-key-exchange-algs {
     prefix sshkea;
     reference
       "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
   }

   import iana-ssh-mac-algs {
     prefix sshma;
     reference
       "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
   }

   import iana-ssh-public-key-algs {
     prefix sshpka;
     reference
       "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
   }

   import ietf-crypto-types {
     prefix ct;
     reference
       "RFC AAAA: YANG Data Types and Groupings for Cryptography";
   }

   import ietf-keystore {
     prefix ks;
     reference
       "RFC CCCC: A YANG Data Model for a Keystore";
   }

   organization
     "IETF NETCONF (Network Configuration) Working Group";

   contact
     "WG Web:   https://datatracker.ietf.org/wg/netconf
      WG List:  NETCONF WG list <mailto:netconf@ietf.org>
      Author:   Kent Watsen <mailto:kent+ietf@watsen.net>
      Author:   Gary Wu <mailto:garywu@cisco.com>";

   description
     "This module defines a common features and groupings for
      Secure Shell (SSH).

      Copyright (c) 2023 IETF Trust and the persons identified
      as authors of the code. All rights reserved.
      Redistribution and use in source and binary forms, with
      or without modification, is permitted pursuant to, and
      subject to the license terms contained in, the Revised
      BSD License set forth in Section 4.c of the IETF Trust's
      Legal Provisions Relating to IETF Documents
      (https://trustee.ietf.org/license-info).

      This version of this YANG module is part of RFC EEEE
      (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
      itself for full legal notices.

      The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
      'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
      'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
      are to be interpreted as described in BCP 14 (RFC 2119)
      (RFC 8174) when, and only when, they appear in all
      capitals, as shown here.";

   revision 2023-04-17 {
     description
       "Initial version";
     reference
       "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
   }

   // Features

   feature ssh-x509-certs {
     description
       "X.509v3 certificates are supported for SSH.";
     reference
       "RFC 6187: X.509v3 Certificates for Secure Shell
                  Authentication";
   }

   feature transport-params {
     description
       "SSH transport layer parameters are configurable.";
   }

   feature public-key-generation {
     description
       "Indicates that the server implements the
        'generate-public-key' RPC.";
   }

   // Groupings

   grouping transport-params-grouping {
     description
       "A reusable grouping for SSH transport parameters.";
     reference
       "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
     container host-key {
       description
         "Parameters regarding host key.";
       leaf-list host-key-alg {
         type identityref {
           base sshpka:public-key-alg-base;
         }
         ordered-by user;
         description
           "Acceptable host key algorithms in order of decreasing
            preference.

            If this leaf-list is not configured (has zero elements)
            the acceptable host key algorithms are implementation-
            defined.";
         reference
           "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
       }
     }
     container key-exchange {
       description
         "Parameters regarding key exchange.";
       leaf-list key-exchange-alg {
         type identityref {
           base sshkea:key-exchange-alg-base;
         }
         ordered-by user;
         description
           "Acceptable key exchange algorithms in order of decreasing
            preference.

            If this leaf-list is not configured (has zero elements)
            the acceptable key exchange algorithms are implementation
            defined.";
       }
     }
     container encryption {
       description
         "Parameters regarding encryption.";
       leaf-list encryption-alg {
         type identityref {
           base sshea:encryption-alg-base;
         }
         ordered-by user;
         description
           "Acceptable encryption algorithms in order of decreasing
            preference.

            If this leaf-list is not configured (has zero elements)
            the acceptable encryption algorithms are implementation
            defined.";
       }
     }
     container mac {
       description
         "Parameters regarding message authentication code (MAC).";
       leaf-list mac-alg {
         type identityref {
           base sshma:mac-alg-base;
         }
         ordered-by user;
         description
           "Acceptable MAC algorithms in order of decreasing
            preference.

            If this leaf-list is not configured (has zero elements)
            the acceptable MAC algorithms are implementation-
            defined.";
       }
     }
   }

   // Protocol-accessible Nodes

   rpc generate-public-key {
     if-feature "public-key-generation";
     description
       "Requests the device to generate an public key using
        the specified key algorithm.";
     input {
       leaf algorithm {
         type sshpka:public-key-algorithm-ref;
         mandatory true;
         description
           "The algorithm to be used when generating the key.";
       }
       leaf bits {
         type uint16;
         description
           "Specifies the number of bits in the key to create.
            For RSA keys, the minimum size is 1024 bits and
            the default is 3072 bits. Generally, 3072 bits is
            considered sufficient. DSA keys must be exactly 1024
            bits as specified by FIPS 186-6.  For ECDSA keys, the
            'bits' value determines the key length by selecting
            from one of three elliptic curve sizes: 256, 384 or
            521 bits. Attempting to use bit lengths other than
            these three values for ECDSA keys will fail. ECDSA-SK,
            Ed25519 and Ed25519-SK keys have a fixed length and
            the 'bits' value, if specified, will be ignored.";
         reference
           "FIPS 186-6: Digital Signature Standard (DSS)";
       }
       choice private-key-encoding {
         mandatory true;
         description
           "A choice amongst optional private key handling.";
         case cleartext {
           if-feature "ct:encrypted-private-keys";
           leaf cleartext {
             type empty;
             description
               "Indicates that the private key is to be returned
                as a cleartext value.";
           }
         }
         case encrypt {
           if-feature "ct:encrypted-private-keys";
           container encrypt-with {
             description
                "Indicates that the key is to be encrypted using
                 the specified symmetric or asymmetric key.";
             uses ks:encrypted-by-choice-grouping;
           }
         }
         case hide {
           if-feature "ct:hidden-private-keys";
           leaf hide {
             type empty;
             description
               "Indicates that the private key is to be hidden.

                Unlike the 'cleartext' and 'encrypt' options, the
                key returned is a placeholder for an internally
                stored key.  See the 'Support for Built-in Keys'
                section in RFC CCCC for information about hidden
                keys.";
           }
         }
       }
     }
     output {
       uses ct:asymmetric-key-pair-grouping;
     }
   } // end generate-public-key

 }
	module ietf-ssh-common {
	yang-version 1.1;
	namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
	prefix sshcmn;

	import iana-ssh-encryption-algs {
	prefix sshea;
	reference
	"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
	}

	import iana-ssh-key-exchange-algs {
	prefix sshkea;
	reference
	"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
	}

	import iana-ssh-mac-algs {
	prefix sshma;
	reference
	"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
	}

	import iana-ssh-public-key-algs {
	prefix sshpka;
	reference
	"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
	}

	import ietf-crypto-types {
	prefix ct;
	reference
	"RFC AAAA: YANG Data Types and Groupings for Cryptography";
	}

	import ietf-keystore {
	prefix ks;
	reference
	"RFC CCCC: A YANG Data Model for a Keystore";
	}

	organization
	"IETF NETCONF (Network Configuration) Working Group";

	contact
	"WG Web: https://datatracker.ietf.org/wg/netconf
	WG List: NETCONF WG list <mailto:netconf@ietf.org>
	Author: Kent Watsen <mailto:kent+ietf@watsen.net>
	Author: Gary Wu <mailto:garywu@cisco.com>";

	description
	"This module defines a common features and groupings for
	Secure Shell (SSH).

	Copyright (c) 2023 IETF Trust and the persons identified
	as authors of the code. All rights reserved.
	Redistribution and use in source and binary forms, with
	or without modification, is permitted pursuant to, and
	subject to the license terms contained in, the Revised
	BSD License set forth in Section 4.c of the IETF Trust's
	Legal Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info).

	This version of this YANG module is part of RFC EEEE
	(https://www.rfc-editor.org/info/rfcEEEE); see the RFC
	itself for full legal notices.

	The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
	'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
	'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
	are to be interpreted as described in BCP 14 (RFC 2119)
	(RFC 8174) when, and only when, they appear in all
	capitals, as shown here.";

	revision 2023-04-17 {
	description
	"Initial version";
	reference
	"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
	}

	// Features

	feature ssh-x509-certs {
	description
	"X.509v3 certificates are supported for SSH.";
	reference
	"RFC 6187: X.509v3 Certificates for Secure Shell
	Authentication";
	}

	feature transport-params {
	description
	"SSH transport layer parameters are configurable.";
	}

	feature public-key-generation {
	description
	"Indicates that the server implements the
	'generate-public-key' RPC.";
	}

	// Groupings

	grouping transport-params-grouping {
	description
	"A reusable grouping for SSH transport parameters.";
	reference
	"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
	container host-key {
	description
	"Parameters regarding host key.";
	leaf-list host-key-alg {
	type identityref {
	base sshpka:public-key-alg-base;
	}
	ordered-by user;
	description
	"Acceptable host key algorithms in order of decreasing
	preference.

	If this leaf-list is not configured (has zero elements)
	the acceptable host key algorithms are implementation-
	defined.";
	reference
	"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
	}
	}
	container key-exchange {
	description
	"Parameters regarding key exchange.";
	leaf-list key-exchange-alg {
	type identityref {
	base sshkea:key-exchange-alg-base;
	}
	ordered-by user;
	description
	"Acceptable key exchange algorithms in order of decreasing
	preference.

	If this leaf-list is not configured (has zero elements)
	the acceptable key exchange algorithms are implementation
	defined.";
	}
	}
	container encryption {
	description
	"Parameters regarding encryption.";
	leaf-list encryption-alg {
	type identityref {
	base sshea:encryption-alg-base;
	}
	ordered-by user;
	description
	"Acceptable encryption algorithms in order of decreasing
	preference.

	If this leaf-list is not configured (has zero elements)
	the acceptable encryption algorithms are implementation
	defined.";
	}
	}
	container mac {
	description
	"Parameters regarding message authentication code (MAC).";
	leaf-list mac-alg {
	type identityref {
	base sshma:mac-alg-base;
	}
	ordered-by user;
	description
	"Acceptable MAC algorithms in order of decreasing
	preference.

	If this leaf-list is not configured (has zero elements)
	the acceptable MAC algorithms are implementation-
	defined.";
	}
	}
	}

	// Protocol-accessible Nodes

	rpc generate-public-key {
	if-feature "public-key-generation";
	description
	"Requests the device to generate an public key using
	the specified key algorithm.";
	input {
	leaf algorithm {
	type sshpka:public-key-algorithm-ref;
	mandatory true;
	description
	"The algorithm to be used when generating the key.";
	}
	leaf bits {
	type uint16;
	description
	"Specifies the number of bits in the key to create.
	For RSA keys, the minimum size is 1024 bits and
	the default is 3072 bits. Generally, 3072 bits is
	considered sufficient. DSA keys must be exactly 1024
	bits as specified by FIPS 186-6. For ECDSA keys, the
	'bits' value determines the key length by selecting
	from one of three elliptic curve sizes: 256, 384 or
	521 bits. Attempting to use bit lengths other than
	these three values for ECDSA keys will fail. ECDSA-SK,
	Ed25519 and Ed25519-SK keys have a fixed length and
	the 'bits' value, if specified, will be ignored.";
	reference
	"FIPS 186-6: Digital Signature Standard (DSS)";
	}
	choice private-key-encoding {
	mandatory true;
	description
	"A choice amongst optional private key handling.";
	case cleartext {
	if-feature "ct:encrypted-private-keys";
	leaf cleartext {
	type empty;
	description
	"Indicates that the private key is to be returned
	as a cleartext value.";
	}
	}
	case encrypt {
	if-feature "ct:encrypted-private-keys";
	container encrypt-with {
	description
	"Indicates that the key is to be encrypted using
	the specified symmetric or asymmetric key.";
	uses ks:encrypted-by-choice-grouping;
	}
	}
	case hide {
	if-feature "ct:hidden-private-keys";
	leaf hide {
	type empty;
	description
	"Indicates that the private key is to be hidden.

	Unlike the 'cleartext' and 'encrypt' options, the
	key returned is a placeholder for an internally
	stored key. See the 'Support for Built-in Keys'
	section in RFC CCCC for information about hidden
	keys.";
	}
	}
	}
	}
	output {
	uses ct:asymmetric-key-pair-grouping;
	}
	} // end generate-public-key

	}