Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / a6bf6ab478cc689b5c617b9d6aab62972dc62e89 / . / modules / libnetconf2-netconf-server.yang
blob: 185dafc13006bec38becaf66dacc393010912f22 [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame^]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]30 /*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]31 identity ed25519-private-key-format {
32 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]33 description
34 "This identity would indicate that the
35 private key is encoded in a ED25519PrivateKey
36 format. However no such format is currently
37 standardized or even exists.
38
39 If you wish to use a private key that uses
40 an ED25519 algorithm, you need to pick either
41 the private-key-info-format or
42 openssh-private-key-format identity.";
43 }
44*/
45
46 identity private-key-info-format {
47 base ct:private-key-format;
48 description
49 "Indicates that the private key is encoded
50 as a PrivateKeyInfo structure (from RFC 5208).
51
52 The expected header of the private key:
53 -----BEGIN PRIVATE KEY-----
54 The expected footer of the private key:
55 -----END PRIVATE KEY-----
56
57 Supported private key algorithms to use with
58 this format are: RSA, EC and ED25519.
59
60 Commonly used public key format for this
61 type of private key is represented by the
62 SubjectPublicKeyInfo identity.";
63
64 reference
65 "RFC 5208: PKCS #8: Private-Key Information
66 Syntax Specification Version 1.2";
67 }
68
69 identity openssh-private-key-format {
70 base ct:private-key-format;
71 description
72 "Indicates that the private key is encoded
73 in the OpenSSH format.
74
75 The expected header of the private key:
76 -----BEGIN OPENSSH PRIVATE KEY-----
77 The expected footer of the private key:
78 -----END OPENSSH PRIVATE KEY-----
79
80 Supported private key algorithms to use with
81 this format are: RSA, EC and ED25519.
82
83 Commonly used public key format for this
84 type of private key is either the
85 SSH2 public key format (from RFC 4716)
86 or the Public key format defined in RFC 4253,
87 Section 6.6.";
88
89 reference
90 "The OpenSSH Private Key Format:
91 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
92
93 RFC 4716:
94 The Secure Shell (SSH) Public Key File Format
95
96 RFC 4253:
97 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]98 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]99
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame^]100 identity openssh-ssh-ed25519-cert-v01 {
101 base sshpka:public-key-alg-base;
102 description
103 "SSH-ED25519-CERT-V01@OPENSSH.COM";
104 reference
105 "OpenSSH PROTOCOL.certkeys:
106 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
107 }
108
109 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
110 base sshpka:public-key-alg-base;
111 description
112 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
113 reference
114 "OpenSSH PROTOCOL.certkeys:
115 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
116 }
117
118 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
119 base sshpka:public-key-alg-base;
120 description
121 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
122 reference
123 "OpenSSH PROTOCOL.certkeys:
124 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
125 }
126
127 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
128 base sshpka:public-key-alg-base;
129 description
130 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
131 reference
132 "OpenSSH PROTOCOL.certkeys:
133 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
134 }
135
136 identity openssh-rsa-sha2-512-cert-v01 {
137 base sshpka:public-key-alg-base;
138 description
139 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
140 reference
141 "OpenSSH PROTOCOL.certkeys:
142 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
143 }
144
145 identity openssh-rsa-sha2-256-cert-v01 {
146 base sshpka:public-key-alg-base;
147 description
148 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
149 reference
150 "OpenSSH PROTOCOL.certkeys:
151 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
152 }
153
154 identity openssh-ssh-rsa-cert-v01 {
155 base sshpka:public-key-alg-base;
156 description
157 "SSH-RSA-CERT-V01@OPENSSH.COM";
158 reference
159 "OpenSSH PROTOCOL.certkeys:
160 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
161 }
162
163 identity openssh-ssh-dss-cert-v01 {
164 base sshpka:public-key-alg-base;
165 description
166 "SSH-DSS-CERT-V01@OPENSSH.COM";
167 reference
168 "OpenSSH PROTOCOL.certkeys:
169 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
170 }
171
172 identity libssh-curve25519-sha256 {
173 base sshkea:key-exchange-alg-base;
174 description
175 "CURVE25519-SHA256@LIBSSH.ORG";
176 reference
177 "curve25519-sha256@libssh.org specification:
178 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
179 }
180
181 identity openssh-chacha20-poly1305 {
182 base sshea:encryption-alg-base;
183 description
184 "CHACHA20-POLY1305@OPENSSH.COM";
185 reference
186 "OpenSSH PROTOCOL.chacha20poly1305:
187 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
188 }
189
190 identity openssh-aes256-gcm {
191 base sshea:encryption-alg-base;
192 description
193 "AES256-GCM@OPENSSH.COM";
194 reference
195 "OpenSSH PROTOCOL, Section 1.6:
196 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
197 }
198
199 identity openssh-aes128-gcm {
200 base sshea:encryption-alg-base;
201 description
202 "AES128-GCM@OPENSSH.COM";
203 reference
204 "OpenSSH PROTOCOL, Section 1.6:
205 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
206 }
207
208 identity openssh-hmac-sha2-256-etm {
209 base sshma:mac-alg-base;
210 description
211 "HMAC-SHA2-256-ETM@OPENSSH.COM";
212 reference
213 "OpenSSH PROTOCOL:
214 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
215 }
216
217 identity openssh-hmac-sha2-512-etm {
218 base sshma:mac-alg-base;
219 description
220 "HMAC-SHA2-512-ETM@OPENSSH.COM";
221 reference
222 "OpenSSH PROTOCOL:
223 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
224 }
225
226 identity openssh-hmac-sha1-etm {
227 base sshma:mac-alg-base;
228 description
229 "HMAC-SHA1-ETM@OPENSSH.COM";
230 reference
231 "OpenSSH PROTOCOL:
232 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
233 }
234
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]235 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
236 leaf auth-attempts {
237 type uint16;
238 default 3;
239 }
240
241 leaf auth-timeout {
242 type uint16;
243 default 10;
244 units "seconds";
245 }
246 }
247
248 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
249 container keyboard-interactive {
250 presence "";
251 leaf pam-config-file-name {
252 type string;
253 mandatory true;
254 }
255 leaf pam-config-file-dir {
256 type string;
257 }
258 }
259 }
260
261 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport" {
262 case unix-socket {
263 container unix-socket {
264 leaf path {
265 type string;
266 mandatory true;
267 }
268 leaf mode {
269 type uint16;
270 }
271 leaf uid {
272 type uint16;
273 }
274 leaf gid {
275 type uint16;
276 }
277 }
278 }
279 }
280
281 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
282 description
283 "Reference to another SSH endpoint's client-authentication container.
284 All the users set in the referencing endpoint will be tried first and if and only if
285 there is no match, the referenced endpoint's users will be tried. The references can be
286 multiple, however there must not be a cycle.";
287
288 leaf endpoint-client-auth {
289 type leafref {
290 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
291 }
292
293 must "deref(.)/../*[local-name() = 'ssh']";
294 }
295 }
296
297 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
298 description
299 "Reference to another TLS endpoint's client-authentication container.
300 All the users set in the referencing endpoint will be tried first and if and only if
301 there is no match, the referenced endpoint's users will be tried. The references can be
302 multiple, however there must not be a cycle.";
303
304 leaf endpoint-client-auth {
305 type leafref {
306 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
307 }
308
309 must "deref(.)/../*[local-name() = 'tls']";
310 }
311 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]312}