Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 4a7ba35e1dd93f5a59214e9e23b00e0d62b448f1 / . / modules / libnetconf2-netconf-server@2024-07-09.yang
blob: 2b7542bc1138e7af633018f45be38402f9d8c199 [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]30 import ietf-tls-server {
31 prefix tlss;
32 }
33
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]34 revision "2024-07-09" {
35 description "Second revision.";
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]36 }
37
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]38 // Identities
39
40/*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]41 identity ed25519-private-key-format {
42 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]43 description
44 "This identity would indicate that the
45 private key is encoded in a ED25519PrivateKey
46 format. However no such format is currently
47 standardized or even exists.
48
49 If you wish to use a private key that uses
50 an ED25519 algorithm, you need to pick either
51 the private-key-info-format or
52 openssh-private-key-format identity.";
53 }
54*/
55
56 identity private-key-info-format {
57 base ct:private-key-format;
58 description
59 "Indicates that the private key is encoded
60 as a PrivateKeyInfo structure (from RFC 5208).
61
62 The expected header of the private key:
63 -----BEGIN PRIVATE KEY-----
64 The expected footer of the private key:
65 -----END PRIVATE KEY-----
66
67 Supported private key algorithms to use with
68 this format are: RSA, EC and ED25519.
69
70 Commonly used public key format for this
71 type of private key is represented by the
72 SubjectPublicKeyInfo identity.";
73
74 reference
75 "RFC 5208: PKCS #8: Private-Key Information
76 Syntax Specification Version 1.2";
77 }
78
79 identity openssh-private-key-format {
80 base ct:private-key-format;
81 description
82 "Indicates that the private key is encoded
83 in the OpenSSH format.
84
85 The expected header of the private key:
86 -----BEGIN OPENSSH PRIVATE KEY-----
87 The expected footer of the private key:
88 -----END OPENSSH PRIVATE KEY-----
89
90 Supported private key algorithms to use with
91 this format are: RSA, EC and ED25519.
92
93 Commonly used public key format for this
94 type of private key is either the
95 SSH2 public key format (from RFC 4716)
96 or the Public key format defined in RFC 4253,
97 Section 6.6.";
98
99 reference
100 "The OpenSSH Private Key Format:
101 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
102
103 RFC 4716:
104 The Secure Shell (SSH) Public Key File Format
105
106 RFC 4253:
107 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]108 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]109
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]110 identity openssh-ssh-ed25519-cert-v01 {
111 base sshpka:public-key-alg-base;
112 description
113 "SSH-ED25519-CERT-V01@OPENSSH.COM";
114 reference
115 "OpenSSH PROTOCOL.certkeys:
116 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
117 }
118
119 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
120 base sshpka:public-key-alg-base;
121 description
122 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
123 reference
124 "OpenSSH PROTOCOL.certkeys:
125 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
126 }
127
128 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
129 base sshpka:public-key-alg-base;
130 description
131 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
132 reference
133 "OpenSSH PROTOCOL.certkeys:
134 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
135 }
136
137 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
138 base sshpka:public-key-alg-base;
139 description
140 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
141 reference
142 "OpenSSH PROTOCOL.certkeys:
143 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
144 }
145
146 identity openssh-rsa-sha2-512-cert-v01 {
147 base sshpka:public-key-alg-base;
148 description
149 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
150 reference
151 "OpenSSH PROTOCOL.certkeys:
152 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
153 }
154
155 identity openssh-rsa-sha2-256-cert-v01 {
156 base sshpka:public-key-alg-base;
157 description
158 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
159 reference
160 "OpenSSH PROTOCOL.certkeys:
161 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
162 }
163
164 identity openssh-ssh-rsa-cert-v01 {
165 base sshpka:public-key-alg-base;
166 description
167 "SSH-RSA-CERT-V01@OPENSSH.COM";
168 reference
169 "OpenSSH PROTOCOL.certkeys:
170 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
171 }
172
173 identity openssh-ssh-dss-cert-v01 {
174 base sshpka:public-key-alg-base;
175 description
176 "SSH-DSS-CERT-V01@OPENSSH.COM";
177 reference
178 "OpenSSH PROTOCOL.certkeys:
179 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
180 }
181
182 identity libssh-curve25519-sha256 {
183 base sshkea:key-exchange-alg-base;
184 description
185 "CURVE25519-SHA256@LIBSSH.ORG";
186 reference
187 "curve25519-sha256@libssh.org specification:
188 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
189 }
190
191 identity openssh-chacha20-poly1305 {
192 base sshea:encryption-alg-base;
193 description
194 "CHACHA20-POLY1305@OPENSSH.COM";
195 reference
196 "OpenSSH PROTOCOL.chacha20poly1305:
197 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
198 }
199
200 identity openssh-aes256-gcm {
201 base sshea:encryption-alg-base;
202 description
203 "AES256-GCM@OPENSSH.COM";
204 reference
205 "OpenSSH PROTOCOL, Section 1.6:
206 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
207 }
208
209 identity openssh-aes128-gcm {
210 base sshea:encryption-alg-base;
211 description
212 "AES128-GCM@OPENSSH.COM";
213 reference
214 "OpenSSH PROTOCOL, Section 1.6:
215 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
216 }
217
218 identity openssh-hmac-sha2-256-etm {
219 base sshma:mac-alg-base;
220 description
221 "HMAC-SHA2-256-ETM@OPENSSH.COM";
222 reference
223 "OpenSSH PROTOCOL:
224 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
225 }
226
227 identity openssh-hmac-sha2-512-etm {
228 base sshma:mac-alg-base;
229 description
230 "HMAC-SHA2-512-ETM@OPENSSH.COM";
231 reference
232 "OpenSSH PROTOCOL:
233 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
234 }
235
236 identity openssh-hmac-sha1-etm {
237 base sshma:mac-alg-base;
238 description
239 "HMAC-SHA1-ETM@OPENSSH.COM";
240 reference
241 "OpenSSH PROTOCOL:
242 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
243 }
244
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]245 // Typedefs
246
roman85ba37e2024-08-12 15:20:03 +0200[diff] [blame]247 typedef time-period {
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]248 type string {
249 pattern '(1[0-2]|[1-9])m|[1-4]w|[1-7]d|(2[0-4]|1[0-9]|[1-9])h';
250 }
251
252 description
roman85ba37e2024-08-12 15:20:03 +0200[diff] [blame]253 "The time-period type allows to specify time in either months, weeks, days, or hours.
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]254 Its purpose is to create time intervals for the certificate expiration notifications.";
255 }
256
257 // Groupings
258
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]259 grouping ssh-authentication-params-grouping {
260 description
261 "Grouping for SSH authentication parameters.";
262
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]263 leaf auth-timeout {
264 type uint16;
265 default 30;
266 units "seconds";
267 description
268 "Represents the maximum amount of seconds an authentication can go on for.";
269 }
270 }
271
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]272 grouping system-auth-public-keys-grouping {
273 description
274 "Grouping for using the system configured keys in the SSH public key authentication method.";
275
276 container use-system-keys {
romand2db90a2023-12-21 13:18:10 +0100[diff] [blame]277 presence
278 "Indicates that the given user will be authenticated using the system's configured public keys.";
279
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]280 description
281 "Authentication is done using the system's mechanisms.";
romand2db90a2023-12-21 13:18:10 +0100[diff] [blame]282
283 reference
284 "libnetconf2 documentation:
285 Section SSH";
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]286 }
287 }
288
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]289 grouping keyboard-interactive-grouping {
290 description
291 "Grouping for the SSH Keyboard interactive authentication method.";
292
293 container keyboard-interactive {
romanc6518422023-11-30 16:39:00 +0100[diff] [blame]294 presence "Indicates that the given client supports the SSH Keyboard Interactive authentication method.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]295 description
296 "Keyboard interactive SSH authentication method.";
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]297
298 reference
299 "RFC 4256:
300 Generic Message Exchange Authentication for
301 the Secure Shell Protocol (SSH)";
romanc6518422023-11-30 16:39:00 +0100[diff] [blame]302
303 choice method {
304 mandatory true;
305 description
306 "Method to perform the authentication with.";
307
308 container use-system-auth {
309 presence
310 "Indicates that the system will handle the authentication.";
311
312 description
313 "Authentication is done using the system's mechanisms.";
romand2db90a2023-12-21 13:18:10 +0100[diff] [blame]314
315 reference
316 "libnetconf2 documentation:
317 Section SSH";
romanc6518422023-11-30 16:39:00 +0100[diff] [blame]318 }
319 }
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]320 }
321 }
322
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]323 grouping endpoint-reference-grouping {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]324 description
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]325 "Grouping for the endpoint reference.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]326
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]327 leaf endpoint-reference {
328 type leafref {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]329 path "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:name";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]330 }
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]331 description
332 "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
333 If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
334 using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
335 references another endpoint, the authentication will be tried again. However, this time
336 using the referenced endpoint's mechanisms. The references can be
337 multiple, however there must not be a cycle.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]338 }
339 }
340
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]341 // Augments
342
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]343 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]344 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]345 uses ssh-authentication-params-grouping;
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]346 }
347
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]348 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
349 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]350 uses ssh-authentication-params-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]351 }
352
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]353 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters" +
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]354 "/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
355 case system-auth-public-keys {
356 uses system-auth-public-keys-grouping;
357 }
358 }
359
360 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
361 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
362 case system-auth-public-keys {
363 uses system-auth-public-keys-grouping;
364 }
365 }
366
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]367 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]368 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]369 uses keyboard-interactive-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]370 }
371
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]372 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
373 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]374 uses keyboard-interactive-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]375 }
376
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]377 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]378 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]379 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]380 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]381
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]382 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
383 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]384 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]385 }
386
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]387 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]388 "/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]389 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]390 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]391
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]392 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
393 "/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]394 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]395 }
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]396
397 // Protocol-accessible Nodes
398
399 container ln2-netconf-server {
400 container certificate-expiration-notif-intervals {
401 if-feature "ct:certificate-expiration-notification";
402
403 description
404 "Container for the certificate expiration notification intervals.
405 Its child nodes describe the ability to set the time intervals for the certificate
406 expiration notifications. These intervals are given in the form of an anchor and a period.
407 By default, these notifications are generated 3, 2, and 1 month; 2 weeks; 7, 6, 5, 4, 3, 2 and 1 day before a certificate expires.
408 Additionally, notifications are generated on the day of expiration and every day thereafter.
409
410 Simplified example of YANG data that describe the default intervals:
411
412 Anchor Period
413 3m ... 1m
414 2w ... 1w
415 7d ... 1d
416 ";
417
418 list interval {
419 key "anchor period";
420
421 leaf anchor {
roman85ba37e2024-08-12 15:20:03 +0200[diff] [blame]422 type time-period;
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]423
424 description
425 "The time anchor for the notification. The anchor is the time
426 before the certificate expiration when a notification will be sent.
427 It is essentially the lower bound of the given interval.";
428 }
429 leaf period {
roman85ba37e2024-08-12 15:20:03 +0200[diff] [blame]430 type time-period;
roman6920ab22024-07-09 13:52:49 +0200[diff] [blame]431
432 // Require the period to be smaller than the anchor (only units are checked for simplicity)
433 must "(contains(., 'm') and contains(../anchor, 'm')) or
434 (contains(., 'w') and (contains(../anchor, 'm') or contains(../anchor, 'w'))) or
435 (contains(., 'd') and (contains(../anchor, 'm') or contains(../anchor, 'w') or contains(../anchor, 'd'))) or
436 contains(., 'h')" {
437 error-message
438 "Certificate expiration notification period must be smaller than the anchor.";
439 }
440
441 description
442 "The period of the notification. The period is the time
443 between two notifications within the given time interval.";
444 }
445 }
446 }
447 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]448}