roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 1 | module ietf-ssh-server { |
| 2 | yang-version 1.1; |
| 3 | namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; |
| 4 | prefix sshs; |
| 5 | |
| 6 | import iana-crypt-hash { |
| 7 | prefix ianach; |
| 8 | reference |
| 9 | "RFC 7317: A YANG Data Model for System Management"; |
| 10 | } |
| 11 | |
| 12 | import ietf-netconf-acm { |
| 13 | prefix nacm; |
| 14 | reference |
| 15 | "RFC 8341: Network Configuration Access Control Model"; |
| 16 | } |
| 17 | |
| 18 | import ietf-crypto-types { |
| 19 | prefix ct; |
| 20 | reference |
| 21 | "RFC AAAA: YANG Data Types and Groupings for Cryptography"; |
| 22 | } |
| 23 | |
| 24 | import ietf-truststore { |
| 25 | prefix ts; |
| 26 | reference |
| 27 | "RFC BBBB: A YANG Data Model for a Truststore"; |
| 28 | } |
| 29 | |
| 30 | import ietf-keystore { |
| 31 | prefix ks; |
| 32 | reference |
| 33 | "RFC CCCC: A YANG Data Model for a Keystore"; |
| 34 | } |
| 35 | |
| 36 | import ietf-ssh-common { |
| 37 | prefix sshcmn; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 38 | reference |
| 39 | "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; |
| 40 | } |
| 41 | |
| 42 | organization |
| 43 | "IETF NETCONF (Network Configuration) Working Group"; |
| 44 | |
| 45 | contact |
| 46 | "WG Web: https://datatracker.ietf.org/wg/netconf |
| 47 | WG List: NETCONF WG list <mailto:netconf@ietf.org> |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 48 | Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 49 | |
| 50 | description |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 51 | "This module defines a reusable grouping for SSH servers that |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 52 | can be used as a basis for specific SSH server instances. |
| 53 | |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 54 | Copyright (c) 2023 IETF Trust and the persons identified |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 55 | as authors of the code. All rights reserved. |
| 56 | |
| 57 | Redistribution and use in source and binary forms, with |
| 58 | or without modification, is permitted pursuant to, and |
| 59 | subject to the license terms contained in, the Revised |
| 60 | BSD License set forth in Section 4.c of the IETF Trust's |
| 61 | Legal Provisions Relating to IETF Documents |
| 62 | (https://trustee.ietf.org/license-info). |
| 63 | |
| 64 | This version of this YANG module is part of RFC EEEE |
| 65 | (https://www.rfc-editor.org/info/rfcEEEE); see the RFC |
| 66 | itself for full legal notices. |
| 67 | |
| 68 | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', |
| 69 | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', |
| 70 | 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document |
| 71 | are to be interpreted as described in BCP 14 (RFC 2119) |
| 72 | (RFC 8174) when, and only when, they appear in all |
| 73 | capitals, as shown here."; |
| 74 | |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 75 | revision 2023-12-28 { |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 76 | description |
| 77 | "Initial version"; |
| 78 | reference |
| 79 | "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; |
| 80 | } |
| 81 | |
| 82 | // Features |
| 83 | |
| 84 | feature ssh-server-keepalives { |
| 85 | description |
| 86 | "Per socket SSH keepalive parameters are configurable for |
| 87 | SSH servers on the server implementing this feature."; |
| 88 | } |
| 89 | |
| 90 | feature local-users-supported { |
| 91 | description |
| 92 | "Indicates that the configuration for users can be |
| 93 | configured herein, as opposed to in an application |
| 94 | specific location."; |
| 95 | } |
| 96 | |
| 97 | feature local-user-auth-publickey { |
| 98 | if-feature "local-users-supported"; |
| 99 | description |
| 100 | "Indicates that the 'publickey' authentication type, |
| 101 | per RFC 4252, is supported for locally-defined users. |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 102 | The 'publickey' authentication type is required by |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 103 | RFC 4252, but common implementations allow it to |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 104 | be disabled."; |
| 105 | reference |
| 106 | "RFC 4252: |
| 107 | The Secure Shell (SSH) Authentication Protocol"; |
| 108 | } |
| 109 | |
| 110 | feature local-user-auth-password { |
| 111 | if-feature "local-users-supported"; |
| 112 | description |
| 113 | "Indicates that the 'password' authentication type, |
| 114 | per RFC 4252, is supported for locally-defined users."; |
| 115 | reference |
| 116 | "RFC 4252: |
| 117 | The Secure Shell (SSH) Authentication Protocol"; |
| 118 | } |
| 119 | |
| 120 | feature local-user-auth-hostbased { |
| 121 | if-feature "local-users-supported"; |
| 122 | description |
| 123 | "Indicates that the 'hostbased' authentication type, |
| 124 | per RFC 4252, is supported for locally-defined users."; |
| 125 | reference |
| 126 | "RFC 4252: |
| 127 | The Secure Shell (SSH) Authentication Protocol"; |
| 128 | } |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 129 | |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 130 | feature local-user-auth-none { |
| 131 | if-feature "local-users-supported"; |
| 132 | description |
| 133 | "Indicates that the 'none' authentication type, per |
| 134 | RFC 4252, is supported. It is NOT RECOMMENDED to |
| 135 | enable this feature."; |
| 136 | reference |
| 137 | "RFC 4252: |
| 138 | The Secure Shell (SSH) Authentication Protocol"; |
| 139 | } |
| 140 | |
| 141 | // Groupings |
| 142 | |
| 143 | grouping ssh-server-grouping { |
| 144 | description |
| 145 | "A reusable grouping for configuring a SSH server without |
| 146 | any consideration for how underlying TCP sessions are |
| 147 | established. |
| 148 | |
| 149 | Note that this grouping uses fairly typical descendant |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 150 | node names such that a nesting of 'uses' statements will |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 151 | have name conflicts. It is intended that the consuming |
| 152 | data model will resolve the issue (e.g., by wrapping |
| 153 | the 'uses' statement in a container called |
| 154 | 'ssh-server-parameters'). This model purposely does |
| 155 | not do this itself so as to provide maximum flexibility |
| 156 | to consuming models."; |
| 157 | |
| 158 | container server-identity { |
| 159 | nacm:default-deny-write; |
| 160 | description |
| 161 | "The list of host keys the SSH server will present when |
| 162 | establishing a SSH connection."; |
| 163 | list host-key { |
| 164 | key "name"; |
| 165 | min-elements 1; |
| 166 | ordered-by user; |
| 167 | description |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 168 | "An ordered list of host keys (see RFC 4251) the SSH |
| 169 | server will use to construct its ordered list of |
| 170 | algorithms, when sending its SSH_MSG_KEXINIT message, |
| 171 | as defined in Section 7.1 of RFC 4253."; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 172 | reference |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 173 | "RFC 4251: The Secure Shell (SSH) Protocol Architecture |
| 174 | RFC 4253: The Secure Shell (SSH) Transport Layer |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 175 | Protocol"; |
| 176 | leaf name { |
| 177 | type string; |
| 178 | description |
| 179 | "An arbitrary name for this host key"; |
| 180 | } |
| 181 | choice host-key-type { |
| 182 | mandatory true; |
| 183 | description |
| 184 | "The type of host key being specified"; |
| 185 | container public-key { |
| 186 | description |
| 187 | "A locally-defined or referenced asymmetric key pair |
| 188 | to be used for the SSH server's host key."; |
| 189 | reference |
| 190 | "RFC CCCC: A YANG Data Model for a Keystore"; |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 191 | uses ks:inline-or-keystore-asymmetric-key-grouping { |
| 192 | refine "inline-or-keystore/inline/inline-definition" { |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 193 | must 'not(public-key-format) or derived-from-or-self' |
| 194 | + '(public-key-format, "ct:ssh-public-key-format")'; |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 195 | |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 196 | } |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 197 | refine "inline-or-keystore/central-keystore/" |
| 198 | + "central-keystore-reference" { |
| 199 | must 'not(deref(.)/../ks:public-key-format) or ' |
| 200 | + 'derived-from-or-self(deref(.)/../ks:public-' |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 201 | + 'key-format, "ct:ssh-public-key-format")'; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 202 | } |
| 203 | } |
| 204 | } |
| 205 | container certificate { |
| 206 | if-feature "sshcmn:ssh-x509-certs"; |
| 207 | description |
| 208 | "A locally-defined or referenced end-entity |
| 209 | certificate to be used for the SSH server's |
| 210 | host key."; |
| 211 | reference |
| 212 | "RFC CCCC: A YANG Data Model for a Keystore"; |
| 213 | uses |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 214 | ks:inline-or-keystore-end-entity-cert-with-key-grouping{ |
| 215 | refine "inline-or-keystore/inline/inline-definition" { |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 216 | must 'not(public-key-format) or derived-from-or-self' |
| 217 | + '(public-key-format, "ct:subject-public-key-' |
| 218 | + 'info-format")'; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 219 | } |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 220 | refine "inline-or-keystore/central-keystore/" |
| 221 | + "central-keystore-reference/asymmetric-key" { |
| 222 | must 'not(deref(.)/../ks:public-key-format) or ' |
| 223 | + 'derived-from-or-self(deref(.)/../ks:public-key' |
| 224 | + '-format, "ct:subject-public-key-info-format")'; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 225 | } |
| 226 | } |
| 227 | } |
| 228 | } |
| 229 | } |
| 230 | } // container server-identity |
| 231 | |
| 232 | container client-authentication { |
| 233 | nacm:default-deny-write; |
| 234 | description |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 235 | "Specifies how the SSH server can be configured to |
| 236 | authenticate SSH clients. See RFC 4252 for a general |
| 237 | discussion about SSH authentication."; |
| 238 | reference |
| 239 | "RFC 4252: The Secure Shell (SSH) Transport Layer"; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 240 | container users { |
| 241 | if-feature "local-users-supported"; |
| 242 | description |
| 243 | "A list of locally configured users."; |
| 244 | list user { |
| 245 | key "name"; |
| 246 | description |
| 247 | "A locally configured user. |
| 248 | |
| 249 | The server SHOULD derive the list of authentication |
| 250 | 'method names' returned to the SSH client from the |
| 251 | descendant nodes configured herein, per Sections |
| 252 | 5.1 and 5.2 in RFC 4252. |
| 253 | |
| 254 | The authentication methods are unordered. Clients |
| 255 | must authenticate to all configured methods. |
| 256 | Whenever a choice amongst methods arises, |
| 257 | implementations SHOULD use a default ordering |
| 258 | that prioritizes automation over human-interaction."; |
| 259 | leaf name { |
| 260 | type string; |
| 261 | description |
| 262 | "The 'user name' for the SSH client, as defined in |
| 263 | the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 264 | reference |
| 265 | "RFC 4253: The Secure Shell (SSH) Transport Layer |
| 266 | Protocol"; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 267 | } |
| 268 | container public-keys { |
| 269 | if-feature "local-user-auth-publickey"; |
| 270 | presence |
| 271 | "Indicates that public keys have been configured. |
| 272 | This statement is present so the mandatory descendant |
| 273 | nodes do not imply that this node must be |
| 274 | configured."; |
| 275 | description |
| 276 | "A set of SSH public keys may be used by the SSH |
| 277 | server to authenticate this user. A user is |
| 278 | authenticated if its public key is an exact |
| 279 | match to a configured public key."; |
| 280 | reference |
| 281 | "RFC BBBB: A YANG Data Model for a Truststore"; |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 282 | uses ts:inline-or-truststore-public-keys-grouping { |
| 283 | refine "inline-or-truststore/inline/inline-definition/" |
| 284 | + "public-key" { |
| 285 | must 'derived-from-or-self(public-key-format,' |
| 286 | + ' "ct:ssh-public-key-format")'; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 287 | } |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 288 | refine "inline-or-truststore/central-truststore/" |
| 289 | + "central-truststore-reference" { |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 290 | must 'not(deref(.)/../ts:public-key/ts:public-key-' |
| 291 | + 'format[not(derived-from-or-self(., "ct:ssh-' |
| 292 | + 'public-key-format"))])'; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 293 | } |
| 294 | } |
| 295 | } |
| 296 | leaf password { |
| 297 | if-feature "local-user-auth-password"; |
| 298 | type ianach:crypt-hash; |
| 299 | description |
| 300 | "The password for this user."; |
| 301 | } |
| 302 | container hostbased { |
| 303 | if-feature "local-user-auth-hostbased"; |
| 304 | presence |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 305 | "Indicates that hostbased [RFC4252] keys have been |
| 306 | configured. This statement is present so the |
| 307 | mandatory descendant nodes do not imply that this |
| 308 | node must be configured."; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 309 | description |
| 310 | "A set of SSH host keys used by the SSH server to |
| 311 | authenticate this user's host. A user's host is |
| 312 | authenticated if its host key is an exact match |
| 313 | to a configured host key."; |
| 314 | reference |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 315 | "RFC 4252: The Secure Shell (SSH) Transport Layer |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 316 | RFC BBBB: A YANG Data Model for a Truststore"; |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 317 | uses ts:inline-or-truststore-public-keys-grouping { |
| 318 | refine "inline-or-truststore/inline/inline-definition/" |
| 319 | + "public-key" { |
| 320 | must 'derived-from-or-self(public-key-format,' |
| 321 | + ' "ct:ssh-public-key-format")'; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 322 | } |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 323 | refine "inline-or-truststore/central-truststore/" |
| 324 | + "central-truststore-reference" { |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 325 | must 'not(deref(.)/../ts:public-key/ts:public-key-' |
| 326 | + 'format[not(derived-from-or-self(., "ct:ssh-' |
| 327 | + 'public-key-format"))])'; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 328 | } |
| 329 | } |
| 330 | } |
| 331 | leaf none { |
| 332 | if-feature "local-user-auth-none"; |
| 333 | type empty; |
| 334 | description |
| 335 | "Indicates that the 'none' method is configured |
| 336 | for this user."; |
| 337 | reference |
| 338 | "RFC 4252: The Secure Shell (SSH) Authentication |
| 339 | Protocol."; |
| 340 | } |
| 341 | } |
Michal Vasko | cf89817 | 2024-01-15 15:04:28 +0100 | [diff] [blame] | 342 | } // users |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 343 | container ca-certs { |
| 344 | if-feature "sshcmn:ssh-x509-certs"; |
| 345 | presence |
| 346 | "Indicates that CA certificates have been configured. |
| 347 | This statement is present so the mandatory descendant |
| 348 | nodes do not imply this node must be configured."; |
| 349 | description |
| 350 | "A set of certificate authority (CA) certificates used by |
| 351 | the SSH server to authenticate SSH client certificates. |
| 352 | A client certificate is authenticated if it has a valid |
| 353 | chain of trust to a configured CA certificate."; |
| 354 | reference |
| 355 | "RFC BBBB: A YANG Data Model for a Truststore"; |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 356 | uses ts:inline-or-truststore-certs-grouping; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 357 | } |
| 358 | container ee-certs { |
| 359 | if-feature "sshcmn:ssh-x509-certs"; |
| 360 | presence |
| 361 | "Indicates that EE certificates have been configured. |
| 362 | This statement is present so the mandatory descendant |
| 363 | nodes do not imply this node must be configured."; |
| 364 | description |
| 365 | "A set of client certificates (i.e., end entity |
| 366 | certificates) used by the SSH server to authenticate |
| 367 | the certificates presented by SSH clients. A client |
| 368 | certificate is authenticated if it is an exact match |
| 369 | to a configured end-entity certificate."; |
| 370 | reference |
| 371 | "RFC BBBB: A YANG Data Model for a Truststore"; |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 372 | uses ts:inline-or-truststore-certs-grouping; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 373 | } |
| 374 | } // container client-authentication |
| 375 | |
| 376 | container transport-params { |
| 377 | nacm:default-deny-write; |
| 378 | if-feature "sshcmn:transport-params"; |
| 379 | description |
| 380 | "Configurable parameters of the SSH transport layer."; |
| 381 | uses sshcmn:transport-params-grouping; |
| 382 | } // container transport-params |
| 383 | |
| 384 | container keepalives { |
| 385 | nacm:default-deny-write; |
| 386 | if-feature "ssh-server-keepalives"; |
| 387 | presence |
| 388 | "Indicates that the SSH server proactively tests the |
| 389 | aliveness of the remote SSH client."; |
| 390 | description |
| 391 | "Configures the keep-alive policy, to proactively test |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 392 | the aliveness of the SSH client. An unresponsive SSH |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 393 | client is dropped after approximately max-wait * |
| 394 | max-attempts seconds. Per Section 4 of RFC 4254, |
| 395 | the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST |
| 396 | message with a purposely nonexistent 'request name' |
| 397 | value (e.g., keepalive@ietf.org) and the 'want reply' |
| 398 | value set to '1'."; |
| 399 | reference |
| 400 | "RFC 4254: The Secure Shell (SSH) Connection Protocol"; |
| 401 | leaf max-wait { |
| 402 | type uint16 { |
| 403 | range "1..max"; |
| 404 | } |
| 405 | units "seconds"; |
| 406 | default "30"; |
| 407 | description |
| 408 | "Sets the amount of time in seconds after which |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 409 | if no data has been received from the SSH client, |
| 410 | a SSH-level message will be sent to test the |
| 411 | aliveness of the SSH client."; |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 412 | } |
| 413 | leaf max-attempts { |
| 414 | type uint8; |
| 415 | default "3"; |
| 416 | description |
| 417 | "Sets the maximum number of sequential keep-alive |
| 418 | messages that can fail to obtain a response from |
roman | 7fdc84d | 2023-06-06 13:14:53 +0200 | [diff] [blame] | 419 | the SSH client before assuming the SSH client is |
roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 420 | no longer alive."; |
| 421 | } |
| 422 | } |
| 423 | } // grouping ssh-server-grouping |
| 424 | |
| 425 | } |