session UPDATE use current draft YANG modules
diff --git a/modules/ietf-ssh-server@2023-12-28.yang b/modules/ietf-ssh-server@2023-12-28.yang
new file mode 100644
index 0000000..ecbb47a
--- /dev/null
+++ b/modules/ietf-ssh-server@2023-12-28.yang
@@ -0,0 +1,425 @@
+module ietf-ssh-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
+ prefix sshs;
+
+ import iana-crypt-hash {
+ prefix ianach;
+ reference
+ "RFC 7317: A YANG Data Model for System Management";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ import ietf-ssh-common {
+ prefix sshcmn;
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
+
+ description
+ "This module defines a reusable grouping for SSH servers that
+ can be used as a basis for specific SSH server instances.
+
+ Copyright (c) 2023 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC EEEE
+ (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2023-12-28 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Features
+
+ feature ssh-server-keepalives {
+ description
+ "Per socket SSH keepalive parameters are configurable for
+ SSH servers on the server implementing this feature.";
+ }
+
+ feature local-users-supported {
+ description
+ "Indicates that the configuration for users can be
+ configured herein, as opposed to in an application
+ specific location.";
+ }
+
+ feature local-user-auth-publickey {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'publickey' authentication type,
+ per RFC 4252, is supported for locally-defined users.
+ The 'publickey' authentication type is required by
+ RFC 4252, but common implementations allow it to
+ be disabled.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ feature local-user-auth-password {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'password' authentication type,
+ per RFC 4252, is supported for locally-defined users.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ feature local-user-auth-hostbased {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'hostbased' authentication type,
+ per RFC 4252, is supported for locally-defined users.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ feature local-user-auth-none {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'none' authentication type, per
+ RFC 4252, is supported. It is NOT RECOMMENDED to
+ enable this feature.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ // Groupings
+
+ grouping ssh-server-grouping {
+ description
+ "A reusable grouping for configuring a SSH server without
+ any consideration for how underlying TCP sessions are
+ established.
+
+ Note that this grouping uses fairly typical descendant
+ node names such that a nesting of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'ssh-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container server-identity {
+ nacm:default-deny-write;
+ description
+ "The list of host keys the SSH server will present when
+ establishing a SSH connection.";
+ list host-key {
+ key "name";
+ min-elements 1;
+ ordered-by user;
+ description
+ "An ordered list of host keys (see RFC 4251) the SSH
+ server will use to construct its ordered list of
+ algorithms, when sending its SSH_MSG_KEXINIT message,
+ as defined in Section 7.1 of RFC 4253.";
+ reference
+ "RFC 4251: The Secure Shell (SSH) Protocol Architecture
+ RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this host key";
+ }
+ choice host-key-type {
+ mandatory true;
+ description
+ "The type of host key being specified";
+ container public-key {
+ description
+ "A locally-defined or referenced asymmetric key pair
+ to be used for the SSH server's host key.";
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ uses ks:inline-or-keystore-asymmetric-key-grouping {
+ refine "inline-or-keystore/inline/inline-definition" {
+ must 'not(public-key-format) or derived-from-or-self'
+ + '(public-key-format, "ct:ssh-public-key-format")';
+
+ }
+ refine "inline-or-keystore/central-keystore/"
+ + "central-keystore-reference" {
+ must 'not(deref(.)/../ks:public-key-format) or '
+ + 'derived-from-or-self(deref(.)/../ks:public-'
+ + 'key-format, "ct:ssh-public-key-format")';
+ }
+ }
+ }
+ container certificate {
+ if-feature "sshcmn:ssh-x509-certs";
+ description
+ "A locally-defined or referenced end-entity
+ certificate to be used for the SSH server's
+ host key.";
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ uses
+ ks:inline-or-keystore-end-entity-cert-with-key-grouping{
+ refine "inline-or-keystore/inline/inline-definition" {
+ must 'not(public-key-format) or derived-from-or-self'
+ + '(public-key-format, "ct:subject-public-key-'
+ + 'info-format")';
+ }
+ refine "inline-or-keystore/central-keystore/"
+ + "central-keystore-reference/asymmetric-key" {
+ must 'not(deref(.)/../ks:public-key-format) or '
+ + 'derived-from-or-self(deref(.)/../ks:public-key'
+ + '-format, "ct:subject-public-key-info-format")';
+ }
+ }
+ }
+ }
+ }
+ } // container server-identity
+
+ container client-authentication {
+ nacm:default-deny-write;
+ description
+ "Specifies how the SSH server can be configured to
+ authenticate SSH clients. See RFC 4252 for a general
+ discussion about SSH authentication.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Transport Layer";
+ container users {
+ if-feature "local-users-supported";
+ description
+ "A list of locally configured users.";
+ list user {
+ key "name";
+ description
+ "A locally configured user.
+
+ The server SHOULD derive the list of authentication
+ 'method names' returned to the SSH client from the
+ descendant nodes configured herein, per Sections
+ 5.1 and 5.2 in RFC 4252.
+
+ The authentication methods are unordered. Clients
+ must authenticate to all configured methods.
+ Whenever a choice amongst methods arises,
+ implementations SHOULD use a default ordering
+ that prioritizes automation over human-interaction.";
+ leaf name {
+ type string;
+ description
+ "The 'user name' for the SSH client, as defined in
+ the SSH_MSG_USERAUTH_REQUEST message in RFC 4253.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ }
+ container public-keys {
+ if-feature "local-user-auth-publickey";
+ presence
+ "Indicates that public keys have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply that this node must be
+ configured.";
+ description
+ "A set of SSH public keys may be used by the SSH
+ server to authenticate this user. A user is
+ authenticated if its public key is an exact
+ match to a configured public key.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:inline-or-truststore-public-keys-grouping {
+ refine "inline-or-truststore/inline/inline-definition/"
+ + "public-key" {
+ must 'derived-from-or-self(public-key-format,'
+ + ' "ct:ssh-public-key-format")';
+ }
+ refine "inline-or-truststore/central-truststore/"
+ + "central-truststore-reference" {
+ must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ + 'format[not(derived-from-or-self(., "ct:ssh-'
+ + 'public-key-format"))])';
+ }
+ }
+ }
+ leaf password {
+ if-feature "local-user-auth-password";
+ type ianach:crypt-hash;
+ description
+ "The password for this user.";
+ }
+ container hostbased {
+ if-feature "local-user-auth-hostbased";
+ presence
+ "Indicates that hostbased [RFC4252] keys have been
+ configured. This statement is present so the
+ mandatory descendant nodes do not imply that this
+ node must be configured.";
+ description
+ "A set of SSH host keys used by the SSH server to
+ authenticate this user's host. A user's host is
+ authenticated if its host key is an exact match
+ to a configured host key.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Transport Layer
+ RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:inline-or-truststore-public-keys-grouping {
+ refine "inline-or-truststore/inline/inline-definition/"
+ + "public-key" {
+ must 'derived-from-or-self(public-key-format,'
+ + ' "ct:ssh-public-key-format")';
+ }
+ refine "inline-or-truststore/central-truststore/"
+ + "central-truststore-reference" {
+ must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ + 'format[not(derived-from-or-self(., "ct:ssh-'
+ + 'public-key-format"))])';
+ }
+ }
+ }
+ leaf none {
+ if-feature "local-user-auth-none";
+ type empty;
+ description
+ "Indicates that the 'none' method is configured
+ for this user.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ }
+ } // users
+ container ca-certs {
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that CA certificates have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply this node must be configured.";
+ description
+ "A set of certificate authority (CA) certificates used by
+ the SSH server to authenticate SSH client certificates.
+ A client certificate is authenticated if it has a valid
+ chain of trust to a configured CA certificate.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:inline-or-truststore-certs-grouping;
+ }
+ container ee-certs {
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that EE certificates have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply this node must be configured.";
+ description
+ "A set of client certificates (i.e., end entity
+ certificates) used by the SSH server to authenticate
+ the certificates presented by SSH clients. A client
+ certificate is authenticated if it is an exact match
+ to a configured end-entity certificate.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:inline-or-truststore-certs-grouping;
+ }
+ } // container client-authentication
+
+ container transport-params {
+ nacm:default-deny-write;
+ if-feature "sshcmn:transport-params";
+ description
+ "Configurable parameters of the SSH transport layer.";
+ uses sshcmn:transport-params-grouping;
+ } // container transport-params
+
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "ssh-server-keepalives";
+ presence
+ "Indicates that the SSH server proactively tests the
+ aliveness of the remote SSH client.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the SSH client. An unresponsive SSH
+ client is dropped after approximately max-wait *
+ max-attempts seconds. Per Section 4 of RFC 4254,
+ the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST
+ message with a purposely nonexistent 'request name'
+ value (e.g., keepalive@ietf.org) and the 'want reply'
+ value set to '1'.";
+ reference
+ "RFC 4254: The Secure Shell (SSH) Connection Protocol";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which
+ if no data has been received from the SSH client,
+ a SSH-level message will be sent to test the
+ aliveness of the SSH client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the SSH client before assuming the SSH client is
+ no longer alive.";
+ }
+ }
+ } // grouping ssh-server-grouping
+
+}