Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 5cbb65341ad69fbb9032360614758e35f65cf450 / . / modules / libnetconf2-netconf-server.yang
blob: 07535228985dcc70569304c8105f6bd3b57b86b8 [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]30 import ietf-tls-server {
31 prefix tlss;
32 }
33
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]34 /*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]35 identity ed25519-private-key-format {
36 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]37 description
38 "This identity would indicate that the
39 private key is encoded in a ED25519PrivateKey
40 format. However no such format is currently
41 standardized or even exists.
42
43 If you wish to use a private key that uses
44 an ED25519 algorithm, you need to pick either
45 the private-key-info-format or
46 openssh-private-key-format identity.";
47 }
48*/
49
50 identity private-key-info-format {
51 base ct:private-key-format;
52 description
53 "Indicates that the private key is encoded
54 as a PrivateKeyInfo structure (from RFC 5208).
55
56 The expected header of the private key:
57 -----BEGIN PRIVATE KEY-----
58 The expected footer of the private key:
59 -----END PRIVATE KEY-----
60
61 Supported private key algorithms to use with
62 this format are: RSA, EC and ED25519.
63
64 Commonly used public key format for this
65 type of private key is represented by the
66 SubjectPublicKeyInfo identity.";
67
68 reference
69 "RFC 5208: PKCS #8: Private-Key Information
70 Syntax Specification Version 1.2";
71 }
72
73 identity openssh-private-key-format {
74 base ct:private-key-format;
75 description
76 "Indicates that the private key is encoded
77 in the OpenSSH format.
78
79 The expected header of the private key:
80 -----BEGIN OPENSSH PRIVATE KEY-----
81 The expected footer of the private key:
82 -----END OPENSSH PRIVATE KEY-----
83
84 Supported private key algorithms to use with
85 this format are: RSA, EC and ED25519.
86
87 Commonly used public key format for this
88 type of private key is either the
89 SSH2 public key format (from RFC 4716)
90 or the Public key format defined in RFC 4253,
91 Section 6.6.";
92
93 reference
94 "The OpenSSH Private Key Format:
95 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
96
97 RFC 4716:
98 The Secure Shell (SSH) Public Key File Format
99
100 RFC 4253:
101 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]102 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]103
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]104 identity openssh-ssh-ed25519-cert-v01 {
105 base sshpka:public-key-alg-base;
106 description
107 "SSH-ED25519-CERT-V01@OPENSSH.COM";
108 reference
109 "OpenSSH PROTOCOL.certkeys:
110 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
111 }
112
113 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
114 base sshpka:public-key-alg-base;
115 description
116 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
117 reference
118 "OpenSSH PROTOCOL.certkeys:
119 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
120 }
121
122 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
123 base sshpka:public-key-alg-base;
124 description
125 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
126 reference
127 "OpenSSH PROTOCOL.certkeys:
128 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
129 }
130
131 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
132 base sshpka:public-key-alg-base;
133 description
134 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
135 reference
136 "OpenSSH PROTOCOL.certkeys:
137 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
138 }
139
140 identity openssh-rsa-sha2-512-cert-v01 {
141 base sshpka:public-key-alg-base;
142 description
143 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
144 reference
145 "OpenSSH PROTOCOL.certkeys:
146 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
147 }
148
149 identity openssh-rsa-sha2-256-cert-v01 {
150 base sshpka:public-key-alg-base;
151 description
152 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
153 reference
154 "OpenSSH PROTOCOL.certkeys:
155 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
156 }
157
158 identity openssh-ssh-rsa-cert-v01 {
159 base sshpka:public-key-alg-base;
160 description
161 "SSH-RSA-CERT-V01@OPENSSH.COM";
162 reference
163 "OpenSSH PROTOCOL.certkeys:
164 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
165 }
166
167 identity openssh-ssh-dss-cert-v01 {
168 base sshpka:public-key-alg-base;
169 description
170 "SSH-DSS-CERT-V01@OPENSSH.COM";
171 reference
172 "OpenSSH PROTOCOL.certkeys:
173 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
174 }
175
176 identity libssh-curve25519-sha256 {
177 base sshkea:key-exchange-alg-base;
178 description
179 "CURVE25519-SHA256@LIBSSH.ORG";
180 reference
181 "curve25519-sha256@libssh.org specification:
182 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
183 }
184
185 identity openssh-chacha20-poly1305 {
186 base sshea:encryption-alg-base;
187 description
188 "CHACHA20-POLY1305@OPENSSH.COM";
189 reference
190 "OpenSSH PROTOCOL.chacha20poly1305:
191 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
192 }
193
194 identity openssh-aes256-gcm {
195 base sshea:encryption-alg-base;
196 description
197 "AES256-GCM@OPENSSH.COM";
198 reference
199 "OpenSSH PROTOCOL, Section 1.6:
200 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
201 }
202
203 identity openssh-aes128-gcm {
204 base sshea:encryption-alg-base;
205 description
206 "AES128-GCM@OPENSSH.COM";
207 reference
208 "OpenSSH PROTOCOL, Section 1.6:
209 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
210 }
211
212 identity openssh-hmac-sha2-256-etm {
213 base sshma:mac-alg-base;
214 description
215 "HMAC-SHA2-256-ETM@OPENSSH.COM";
216 reference
217 "OpenSSH PROTOCOL:
218 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
219 }
220
221 identity openssh-hmac-sha2-512-etm {
222 base sshma:mac-alg-base;
223 description
224 "HMAC-SHA2-512-ETM@OPENSSH.COM";
225 reference
226 "OpenSSH PROTOCOL:
227 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
228 }
229
230 identity openssh-hmac-sha1-etm {
231 base sshma:mac-alg-base;
232 description
233 "HMAC-SHA1-ETM@OPENSSH.COM";
234 reference
235 "OpenSSH PROTOCOL:
236 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
237 }
238
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]239 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
240 leaf auth-attempts {
241 type uint16;
242 default 3;
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame^]243 description
244 "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
245 }
246
247 leaf auth-timeout {
248 type uint16;
249 default 10;
250 units "seconds";
251 description
252 "Represents the maximum amount of seconds an authentication can go on for.";
253 }
254 }
255
256 // CH auth-attempts and auth-timeout
257 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
258 leaf auth-attempts {
259 type uint16;
260 default 3;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]261 }
262
263 leaf auth-timeout {
264 type uint16;
265 default 10;
266 units "seconds";
267 }
268 }
269
270 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
271 container keyboard-interactive {
272 presence "";
273 leaf pam-config-file-name {
274 type string;
275 mandatory true;
276 }
277 leaf pam-config-file-dir {
278 type string;
279 }
280 }
281 }
282
283 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport" {
284 case unix-socket {
285 container unix-socket {
286 leaf path {
287 type string;
288 mandatory true;
289 }
290 leaf mode {
291 type uint16;
292 }
293 leaf uid {
294 type uint16;
295 }
296 leaf gid {
297 type uint16;
298 }
299 }
300 }
301 }
302
303 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
304 description
305 "Reference to another SSH endpoint's client-authentication container.
306 All the users set in the referencing endpoint will be tried first and if and only if
307 there is no match, the referenced endpoint's users will be tried. The references can be
308 multiple, however there must not be a cycle.";
309
310 leaf endpoint-client-auth {
311 type leafref {
312 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
313 }
314
315 must "deref(.)/../*[local-name() = 'ssh']";
316 }
317 }
318
319 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
320 description
321 "Reference to another TLS endpoint's client-authentication container.
322 All the users set in the referencing endpoint will be tried first and if and only if
323 there is no match, the referenced endpoint's users will be tried. The references can be
324 multiple, however there must not be a cycle.";
325
326 leaf endpoint-client-auth {
327 type leafref {
328 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
329 }
330
331 must "deref(.)/../*[local-name() = 'tls']";
332 }
333 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]334
335 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
336 description
337 "Indicates that the TLS server is using a Certificate Revocation List
338 to authenticate clients or to deny access for certain certificates.
339 The given Certificate Revocation List must be PEM or DER encoded.";
340
341 reference
342 "RFC 5280:
343 Internet X.509 Public Key Infrastructure Certificate
344 and Certificate Revocation List (CRL) Profile";
345
346 choice certificate-revocation-list {
347 leaf crl-url {
348 type string;
349 description
350 "An URL from which the Certificate Revocation List will be
351 downloaded and used. The HTTP protocol works, but other
352 protocols, such as FTP, may work as well.";
353 }
354
355 leaf crl-path {
356 type string;
357 description
358 "A path to a Certificate Revocation List file.";
359 }
360
361 leaf crl-cert-ext {
362 type empty;
363 description
364 "Indicates that the Certificate Revocation List
365 Distribution Points extension will be used to fetch
366 Certificate Revocation Lists from. This will be done
367 for all the configured Certificate Authority certificates.";
368
369 reference
370 "RFC 5280:
371 Internet X.509 Public Key Infrastructure Certificate
372 and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
373 }
374 }
375 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]376}