Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 808f3f6250fd9d43ade195791c2f2d03c26bc7c7 / . / modules / libnetconf2-netconf-server@2023-09-07.yang
blob: cd64d1a54b0df65d3915947dddcfc3b11c105391 [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]30 import ietf-tls-server {
31 prefix tlss;
32 }
33
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]34 revision "2023-09-07" {
35 description "Initial revision.";
36 }
37
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]38 /*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]39 identity ed25519-private-key-format {
40 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]41 description
42 "This identity would indicate that the
43 private key is encoded in a ED25519PrivateKey
44 format. However no such format is currently
45 standardized or even exists.
46
47 If you wish to use a private key that uses
48 an ED25519 algorithm, you need to pick either
49 the private-key-info-format or
50 openssh-private-key-format identity.";
51 }
52*/
53
54 identity private-key-info-format {
55 base ct:private-key-format;
56 description
57 "Indicates that the private key is encoded
58 as a PrivateKeyInfo structure (from RFC 5208).
59
60 The expected header of the private key:
61 -----BEGIN PRIVATE KEY-----
62 The expected footer of the private key:
63 -----END PRIVATE KEY-----
64
65 Supported private key algorithms to use with
66 this format are: RSA, EC and ED25519.
67
68 Commonly used public key format for this
69 type of private key is represented by the
70 SubjectPublicKeyInfo identity.";
71
72 reference
73 "RFC 5208: PKCS #8: Private-Key Information
74 Syntax Specification Version 1.2";
75 }
76
77 identity openssh-private-key-format {
78 base ct:private-key-format;
79 description
80 "Indicates that the private key is encoded
81 in the OpenSSH format.
82
83 The expected header of the private key:
84 -----BEGIN OPENSSH PRIVATE KEY-----
85 The expected footer of the private key:
86 -----END OPENSSH PRIVATE KEY-----
87
88 Supported private key algorithms to use with
89 this format are: RSA, EC and ED25519.
90
91 Commonly used public key format for this
92 type of private key is either the
93 SSH2 public key format (from RFC 4716)
94 or the Public key format defined in RFC 4253,
95 Section 6.6.";
96
97 reference
98 "The OpenSSH Private Key Format:
99 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
100
101 RFC 4716:
102 The Secure Shell (SSH) Public Key File Format
103
104 RFC 4253:
105 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]106 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]107
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]108 identity openssh-ssh-ed25519-cert-v01 {
109 base sshpka:public-key-alg-base;
110 description
111 "SSH-ED25519-CERT-V01@OPENSSH.COM";
112 reference
113 "OpenSSH PROTOCOL.certkeys:
114 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
115 }
116
117 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
118 base sshpka:public-key-alg-base;
119 description
120 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
121 reference
122 "OpenSSH PROTOCOL.certkeys:
123 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
124 }
125
126 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
127 base sshpka:public-key-alg-base;
128 description
129 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
130 reference
131 "OpenSSH PROTOCOL.certkeys:
132 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
133 }
134
135 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
136 base sshpka:public-key-alg-base;
137 description
138 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
139 reference
140 "OpenSSH PROTOCOL.certkeys:
141 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
142 }
143
144 identity openssh-rsa-sha2-512-cert-v01 {
145 base sshpka:public-key-alg-base;
146 description
147 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
148 reference
149 "OpenSSH PROTOCOL.certkeys:
150 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
151 }
152
153 identity openssh-rsa-sha2-256-cert-v01 {
154 base sshpka:public-key-alg-base;
155 description
156 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
157 reference
158 "OpenSSH PROTOCOL.certkeys:
159 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
160 }
161
162 identity openssh-ssh-rsa-cert-v01 {
163 base sshpka:public-key-alg-base;
164 description
165 "SSH-RSA-CERT-V01@OPENSSH.COM";
166 reference
167 "OpenSSH PROTOCOL.certkeys:
168 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
169 }
170
171 identity openssh-ssh-dss-cert-v01 {
172 base sshpka:public-key-alg-base;
173 description
174 "SSH-DSS-CERT-V01@OPENSSH.COM";
175 reference
176 "OpenSSH PROTOCOL.certkeys:
177 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
178 }
179
180 identity libssh-curve25519-sha256 {
181 base sshkea:key-exchange-alg-base;
182 description
183 "CURVE25519-SHA256@LIBSSH.ORG";
184 reference
185 "curve25519-sha256@libssh.org specification:
186 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
187 }
188
189 identity openssh-chacha20-poly1305 {
190 base sshea:encryption-alg-base;
191 description
192 "CHACHA20-POLY1305@OPENSSH.COM";
193 reference
194 "OpenSSH PROTOCOL.chacha20poly1305:
195 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
196 }
197
198 identity openssh-aes256-gcm {
199 base sshea:encryption-alg-base;
200 description
201 "AES256-GCM@OPENSSH.COM";
202 reference
203 "OpenSSH PROTOCOL, Section 1.6:
204 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
205 }
206
207 identity openssh-aes128-gcm {
208 base sshea:encryption-alg-base;
209 description
210 "AES128-GCM@OPENSSH.COM";
211 reference
212 "OpenSSH PROTOCOL, Section 1.6:
213 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
214 }
215
216 identity openssh-hmac-sha2-256-etm {
217 base sshma:mac-alg-base;
218 description
219 "HMAC-SHA2-256-ETM@OPENSSH.COM";
220 reference
221 "OpenSSH PROTOCOL:
222 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
223 }
224
225 identity openssh-hmac-sha2-512-etm {
226 base sshma:mac-alg-base;
227 description
228 "HMAC-SHA2-512-ETM@OPENSSH.COM";
229 reference
230 "OpenSSH PROTOCOL:
231 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
232 }
233
234 identity openssh-hmac-sha1-etm {
235 base sshma:mac-alg-base;
236 description
237 "HMAC-SHA1-ETM@OPENSSH.COM";
238 reference
239 "OpenSSH PROTOCOL:
240 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
241 }
242
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]243 grouping ssh-authentication-params-grouping {
244 description
245 "Grouping for SSH authentication parameters.";
246
247 leaf auth-attempts {
248 type uint16;
249 default 3;
250 description
251 "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
252 }
253
254 leaf auth-timeout {
255 type uint16;
256 default 30;
257 units "seconds";
258 description
259 "Represents the maximum amount of seconds an authentication can go on for.";
260 }
261 }
262
263 grouping keyboard-interactive-grouping {
264 description
265 "Grouping for the SSH Keyboard interactive authentication method.";
266
267 container keyboard-interactive {
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame^]268 presence "Indicates that PAM configuration file name has been configured and that
269 the given client supportsthe SSH Keyboard Interactive authentication method.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]270 description
271 "Keyboard interactive SSH authentication method.";
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame^]272
273 reference
274 "RFC 4256:
275 Generic Message Exchange Authentication for
276 the Secure Shell Protocol (SSH)";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]277 }
278 }
279
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]280 grouping endpoint-reference-grouping {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]281 description
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame^]282 "Grouping for the endpoint reference.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]283
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]284 leaf endpoint-reference {
285 type leafref {
286 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]287 }
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame^]288 description
289 "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
290 If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
291 using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
292 references another endpoint, the authentication will be tried again. However, this time
293 using the referenced endpoint's mechanisms. The references can be
294 multiple, however there must not be a cycle.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]295 }
296 }
297
298 grouping certificate-revocation-list-grouping {
299 description
300 "A grouping for the Certificate Revocation List, which is used
301 to authenticate clients or to deny access for certain certificates.
302 The given Certificate Revocation List must be PEM or DER encoded.";
303
304 reference
305 "RFC 5280:
306 Internet X.509 Public Key Infrastructure Certificate
307 and Certificate Revocation List (CRL) Profile";
308
309 choice certificate-revocation-list {
310 leaf crl-url {
311 type string;
312 description
313 "An URL from which the Certificate Revocation List will be
314 downloaded and used. The HTTP protocol works, but other
315 protocols, such as FTP, may work as well.";
316 }
317
318 leaf crl-path {
319 type string;
320 description
321 "A path to a Certificate Revocation List file.";
322 }
323
324 leaf crl-cert-ext {
325 type empty;
326 description
327 "Indicates that the Certificate Revocation List
328 Distribution Points extension will be used to fetch
329 Certificate Revocation Lists from. This will be done
330 for all the configured Certificate Authority certificates.";
331
332 reference
333 "RFC 5280:
334 Internet X.509 Public Key Infrastructure Certificate
335 and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
336 }
337 }
338 }
339
romaneaf84c72023-10-19 14:38:05 +0200[diff] [blame]340 augment "/ncs:netconf-server" {
341 leaf hello-timeout {
342 type uint16;
343 default 60;
344 description
345 "Represents the maximum number of seconds the server will wait for receiving a hello message.";
346 }
347 }
348
349 augment "/ncs:netconf-server" {
350 leaf idle-timeout {
351 type uint16;
352 default 0;
353 description
354 "Represents the maximum number of seconds a NETCONF session may remain idle. The value of 0 represents indefinitely.";
355 }
356 }
357
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]358 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]359 uses ssh-authentication-params-grouping;
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]360 }
361
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]362 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
363 uses ssh-authentication-params-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]364 }
365
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]366 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
367 uses keyboard-interactive-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]368 }
369
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]370 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
371 uses keyboard-interactive-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]372 }
373
374 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport" {
375 case unix-socket {
376 container unix-socket {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]377 description
378 "Defines a new transport called UNIX socket.";
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]379 leaf path {
380 type string;
381 mandatory true;
382 }
383 leaf mode {
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]384 type string {
385 pattern '[0124567]{3}';
386 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]387 }
388 leaf uid {
389 type uint16;
390 }
391 leaf gid {
392 type uint16;
393 }
394 }
395 }
396 }
397
398 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]399 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]400 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]401
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]402 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]403 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]404 }
405
406 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]407 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]408 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]409
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]410 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]411 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]412 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]413
414 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]415 uses certificate-revocation-list-grouping;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]416 }
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]417
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]418 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
419 uses certificate-revocation-list-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]420 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]421}