Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 29beb2d57f654b004e7e85978dcdd3a1cfaff4f0 / . / modules / libnetconf2-netconf-server@2023-09-07.yang
blob: 2f9d26fa7bc82a2ba312bab827450c4131ad4f1f [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]30 import ietf-tls-server {
31 prefix tlss;
32 }
33
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]34 revision "2023-09-07" {
35 description "Initial revision.";
36 }
37
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]38 /*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]39 identity ed25519-private-key-format {
40 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]41 description
42 "This identity would indicate that the
43 private key is encoded in a ED25519PrivateKey
44 format. However no such format is currently
45 standardized or even exists.
46
47 If you wish to use a private key that uses
48 an ED25519 algorithm, you need to pick either
49 the private-key-info-format or
50 openssh-private-key-format identity.";
51 }
52*/
53
54 identity private-key-info-format {
55 base ct:private-key-format;
56 description
57 "Indicates that the private key is encoded
58 as a PrivateKeyInfo structure (from RFC 5208).
59
60 The expected header of the private key:
61 -----BEGIN PRIVATE KEY-----
62 The expected footer of the private key:
63 -----END PRIVATE KEY-----
64
65 Supported private key algorithms to use with
66 this format are: RSA, EC and ED25519.
67
68 Commonly used public key format for this
69 type of private key is represented by the
70 SubjectPublicKeyInfo identity.";
71
72 reference
73 "RFC 5208: PKCS #8: Private-Key Information
74 Syntax Specification Version 1.2";
75 }
76
77 identity openssh-private-key-format {
78 base ct:private-key-format;
79 description
80 "Indicates that the private key is encoded
81 in the OpenSSH format.
82
83 The expected header of the private key:
84 -----BEGIN OPENSSH PRIVATE KEY-----
85 The expected footer of the private key:
86 -----END OPENSSH PRIVATE KEY-----
87
88 Supported private key algorithms to use with
89 this format are: RSA, EC and ED25519.
90
91 Commonly used public key format for this
92 type of private key is either the
93 SSH2 public key format (from RFC 4716)
94 or the Public key format defined in RFC 4253,
95 Section 6.6.";
96
97 reference
98 "The OpenSSH Private Key Format:
99 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
100
101 RFC 4716:
102 The Secure Shell (SSH) Public Key File Format
103
104 RFC 4253:
105 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]106 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]107
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]108 identity openssh-ssh-ed25519-cert-v01 {
109 base sshpka:public-key-alg-base;
110 description
111 "SSH-ED25519-CERT-V01@OPENSSH.COM";
112 reference
113 "OpenSSH PROTOCOL.certkeys:
114 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
115 }
116
117 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
118 base sshpka:public-key-alg-base;
119 description
120 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
121 reference
122 "OpenSSH PROTOCOL.certkeys:
123 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
124 }
125
126 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
127 base sshpka:public-key-alg-base;
128 description
129 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
130 reference
131 "OpenSSH PROTOCOL.certkeys:
132 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
133 }
134
135 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
136 base sshpka:public-key-alg-base;
137 description
138 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
139 reference
140 "OpenSSH PROTOCOL.certkeys:
141 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
142 }
143
144 identity openssh-rsa-sha2-512-cert-v01 {
145 base sshpka:public-key-alg-base;
146 description
147 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
148 reference
149 "OpenSSH PROTOCOL.certkeys:
150 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
151 }
152
153 identity openssh-rsa-sha2-256-cert-v01 {
154 base sshpka:public-key-alg-base;
155 description
156 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
157 reference
158 "OpenSSH PROTOCOL.certkeys:
159 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
160 }
161
162 identity openssh-ssh-rsa-cert-v01 {
163 base sshpka:public-key-alg-base;
164 description
165 "SSH-RSA-CERT-V01@OPENSSH.COM";
166 reference
167 "OpenSSH PROTOCOL.certkeys:
168 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
169 }
170
171 identity openssh-ssh-dss-cert-v01 {
172 base sshpka:public-key-alg-base;
173 description
174 "SSH-DSS-CERT-V01@OPENSSH.COM";
175 reference
176 "OpenSSH PROTOCOL.certkeys:
177 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
178 }
179
180 identity libssh-curve25519-sha256 {
181 base sshkea:key-exchange-alg-base;
182 description
183 "CURVE25519-SHA256@LIBSSH.ORG";
184 reference
185 "curve25519-sha256@libssh.org specification:
186 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
187 }
188
189 identity openssh-chacha20-poly1305 {
190 base sshea:encryption-alg-base;
191 description
192 "CHACHA20-POLY1305@OPENSSH.COM";
193 reference
194 "OpenSSH PROTOCOL.chacha20poly1305:
195 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
196 }
197
198 identity openssh-aes256-gcm {
199 base sshea:encryption-alg-base;
200 description
201 "AES256-GCM@OPENSSH.COM";
202 reference
203 "OpenSSH PROTOCOL, Section 1.6:
204 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
205 }
206
207 identity openssh-aes128-gcm {
208 base sshea:encryption-alg-base;
209 description
210 "AES128-GCM@OPENSSH.COM";
211 reference
212 "OpenSSH PROTOCOL, Section 1.6:
213 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
214 }
215
216 identity openssh-hmac-sha2-256-etm {
217 base sshma:mac-alg-base;
218 description
219 "HMAC-SHA2-256-ETM@OPENSSH.COM";
220 reference
221 "OpenSSH PROTOCOL:
222 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
223 }
224
225 identity openssh-hmac-sha2-512-etm {
226 base sshma:mac-alg-base;
227 description
228 "HMAC-SHA2-512-ETM@OPENSSH.COM";
229 reference
230 "OpenSSH PROTOCOL:
231 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
232 }
233
234 identity openssh-hmac-sha1-etm {
235 base sshma:mac-alg-base;
236 description
237 "HMAC-SHA1-ETM@OPENSSH.COM";
238 reference
239 "OpenSSH PROTOCOL:
240 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
241 }
242
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]243 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
244 leaf auth-attempts {
245 type uint16;
246 default 3;
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]247 description
248 "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
249 }
250
251 leaf auth-timeout {
252 type uint16;
253 default 10;
254 units "seconds";
255 description
256 "Represents the maximum amount of seconds an authentication can go on for.";
257 }
258 }
259
260 // CH auth-attempts and auth-timeout
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]261 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/
262 ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]263 leaf auth-attempts {
264 type uint16;
265 default 3;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]266 description
267 "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]268 }
269
270 leaf auth-timeout {
271 type uint16;
272 default 10;
273 units "seconds";
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]274 description
275 "Represents the maximum amount of seconds an authentication can go on for.";
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]276 }
277 }
278
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]279 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/
280 ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]281 container keyboard-interactive {
282 presence "";
283 leaf pam-config-file-name {
284 type string;
285 mandatory true;
286 }
287 leaf pam-config-file-dir {
288 type string;
289 }
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]290 description
291 "Keyboard interactive SSH authentication method.";
292 }
293 }
294
295 // CH KB int
296 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/
297 ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
298 container keyboard-interactive {
299 presence "";
300 leaf pam-config-file-name {
301 type string;
302 mandatory true;
303 }
304 leaf pam-config-file-dir {
305 type string;
306 }
307 description
308 "Keyboard interactive SSH authentication method.";
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]309 }
310 }
311
312 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport" {
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]313 description
314 "Defines a new transport called UNIX socket.";
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]315 case unix-socket {
316 container unix-socket {
317 leaf path {
318 type string;
319 mandatory true;
320 }
321 leaf mode {
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]322 type string {
323 pattern '[0124567]{3}';
324 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]325 }
326 leaf uid {
327 type uint16;
328 }
329 leaf gid {
330 type uint16;
331 }
332 }
333 }
334 }
335
336 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
337 description
338 "Reference to another SSH endpoint's client-authentication container.
339 All the users set in the referencing endpoint will be tried first and if and only if
340 there is no match, the referenced endpoint's users will be tried. The references can be
341 multiple, however there must not be a cycle.";
342
343 leaf endpoint-client-auth {
344 type leafref {
345 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
346 }
347
348 must "deref(.)/../*[local-name() = 'ssh']";
349 }
350 }
351
352 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
353 description
354 "Reference to another TLS endpoint's client-authentication container.
355 All the users set in the referencing endpoint will be tried first and if and only if
356 there is no match, the referenced endpoint's users will be tried. The references can be
357 multiple, however there must not be a cycle.";
358
359 leaf endpoint-client-auth {
360 type leafref {
361 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
362 }
363
364 must "deref(.)/../*[local-name() = 'tls']";
365 }
366 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]367
368 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
369 description
370 "Indicates that the TLS server is using a Certificate Revocation List
371 to authenticate clients or to deny access for certain certificates.
372 The given Certificate Revocation List must be PEM or DER encoded.";
373
374 reference
375 "RFC 5280:
376 Internet X.509 Public Key Infrastructure Certificate
377 and Certificate Revocation List (CRL) Profile";
378
379 choice certificate-revocation-list {
380 leaf crl-url {
381 type string;
382 description
383 "An URL from which the Certificate Revocation List will be
384 downloaded and used. The HTTP protocol works, but other
385 protocols, such as FTP, may work as well.";
386 }
387
388 leaf crl-path {
389 type string;
390 description
391 "A path to a Certificate Revocation List file.";
392 }
393
394 leaf crl-cert-ext {
395 type empty;
396 description
397 "Indicates that the Certificate Revocation List
398 Distribution Points extension will be used to fetch
399 Certificate Revocation Lists from. This will be done
400 for all the configured Certificate Authority certificates.";
401
402 reference
403 "RFC 5280:
404 Internet X.509 Public Key Infrastructure Certificate
405 and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
406 }
407 }
408 }
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]409
410 // CH CRL
411 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/
412 ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
413 description
414 "Indicates that the Call Home TLS server is using a Certificate Revocation List
415 to authenticate clients or to deny access for certain certificates.
416 The given Certificate Revocation List must be PEM or DER encoded.";
417
418 reference
419 "RFC 5280:
420 Internet X.509 Public Key Infrastructure Certificate
421 and Certificate Revocation List (CRL) Profile";
422
423 choice certificate-revocation-list {
424 leaf crl-url {
425 type string;
426 description
427 "An URL from which the Certificate Revocation List will be
428 downloaded and used. The HTTP protocol works, but other
429 protocols, such as FTP, may work as well.";
430 }
431
432 leaf crl-path {
433 type string;
434 description
435 "A path to a Certificate Revocation List file.";
436 }
437
438 leaf crl-cert-ext {
439 type empty;
440 description
441 "Indicates that the Certificate Revocation List
442 Distribution Points extension will be used to fetch
443 Certificate Revocation Lists from. This will be done
444 for all the configured Certificate Authority certificates.";
445
446 reference
447 "RFC 5280:
448 Internet X.509 Public Key Infrastructure Certificate
449 and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
450 }
451 }
452 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]453}