Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / c651842dbf99df0c4a5a68865e6dac5fec6e656b / . / modules / libnetconf2-netconf-server@2023-09-07.yang
blob: cffad1c247200c7be5d393afc8e206903d229995 [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]30 import ietf-tls-server {
31 prefix tlss;
32 }
33
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]34 revision "2023-09-07" {
35 description "Initial revision.";
36 }
37
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]38 /*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]39 identity ed25519-private-key-format {
40 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]41 description
42 "This identity would indicate that the
43 private key is encoded in a ED25519PrivateKey
44 format. However no such format is currently
45 standardized or even exists.
46
47 If you wish to use a private key that uses
48 an ED25519 algorithm, you need to pick either
49 the private-key-info-format or
50 openssh-private-key-format identity.";
51 }
52*/
53
54 identity private-key-info-format {
55 base ct:private-key-format;
56 description
57 "Indicates that the private key is encoded
58 as a PrivateKeyInfo structure (from RFC 5208).
59
60 The expected header of the private key:
61 -----BEGIN PRIVATE KEY-----
62 The expected footer of the private key:
63 -----END PRIVATE KEY-----
64
65 Supported private key algorithms to use with
66 this format are: RSA, EC and ED25519.
67
68 Commonly used public key format for this
69 type of private key is represented by the
70 SubjectPublicKeyInfo identity.";
71
72 reference
73 "RFC 5208: PKCS #8: Private-Key Information
74 Syntax Specification Version 1.2";
75 }
76
77 identity openssh-private-key-format {
78 base ct:private-key-format;
79 description
80 "Indicates that the private key is encoded
81 in the OpenSSH format.
82
83 The expected header of the private key:
84 -----BEGIN OPENSSH PRIVATE KEY-----
85 The expected footer of the private key:
86 -----END OPENSSH PRIVATE KEY-----
87
88 Supported private key algorithms to use with
89 this format are: RSA, EC and ED25519.
90
91 Commonly used public key format for this
92 type of private key is either the
93 SSH2 public key format (from RFC 4716)
94 or the Public key format defined in RFC 4253,
95 Section 6.6.";
96
97 reference
98 "The OpenSSH Private Key Format:
99 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
100
101 RFC 4716:
102 The Secure Shell (SSH) Public Key File Format
103
104 RFC 4253:
105 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]106 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]107
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]108 identity openssh-ssh-ed25519-cert-v01 {
109 base sshpka:public-key-alg-base;
110 description
111 "SSH-ED25519-CERT-V01@OPENSSH.COM";
112 reference
113 "OpenSSH PROTOCOL.certkeys:
114 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
115 }
116
117 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
118 base sshpka:public-key-alg-base;
119 description
120 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
121 reference
122 "OpenSSH PROTOCOL.certkeys:
123 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
124 }
125
126 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
127 base sshpka:public-key-alg-base;
128 description
129 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
130 reference
131 "OpenSSH PROTOCOL.certkeys:
132 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
133 }
134
135 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
136 base sshpka:public-key-alg-base;
137 description
138 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
139 reference
140 "OpenSSH PROTOCOL.certkeys:
141 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
142 }
143
144 identity openssh-rsa-sha2-512-cert-v01 {
145 base sshpka:public-key-alg-base;
146 description
147 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
148 reference
149 "OpenSSH PROTOCOL.certkeys:
150 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
151 }
152
153 identity openssh-rsa-sha2-256-cert-v01 {
154 base sshpka:public-key-alg-base;
155 description
156 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
157 reference
158 "OpenSSH PROTOCOL.certkeys:
159 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
160 }
161
162 identity openssh-ssh-rsa-cert-v01 {
163 base sshpka:public-key-alg-base;
164 description
165 "SSH-RSA-CERT-V01@OPENSSH.COM";
166 reference
167 "OpenSSH PROTOCOL.certkeys:
168 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
169 }
170
171 identity openssh-ssh-dss-cert-v01 {
172 base sshpka:public-key-alg-base;
173 description
174 "SSH-DSS-CERT-V01@OPENSSH.COM";
175 reference
176 "OpenSSH PROTOCOL.certkeys:
177 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
178 }
179
180 identity libssh-curve25519-sha256 {
181 base sshkea:key-exchange-alg-base;
182 description
183 "CURVE25519-SHA256@LIBSSH.ORG";
184 reference
185 "curve25519-sha256@libssh.org specification:
186 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
187 }
188
189 identity openssh-chacha20-poly1305 {
190 base sshea:encryption-alg-base;
191 description
192 "CHACHA20-POLY1305@OPENSSH.COM";
193 reference
194 "OpenSSH PROTOCOL.chacha20poly1305:
195 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
196 }
197
198 identity openssh-aes256-gcm {
199 base sshea:encryption-alg-base;
200 description
201 "AES256-GCM@OPENSSH.COM";
202 reference
203 "OpenSSH PROTOCOL, Section 1.6:
204 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
205 }
206
207 identity openssh-aes128-gcm {
208 base sshea:encryption-alg-base;
209 description
210 "AES128-GCM@OPENSSH.COM";
211 reference
212 "OpenSSH PROTOCOL, Section 1.6:
213 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
214 }
215
216 identity openssh-hmac-sha2-256-etm {
217 base sshma:mac-alg-base;
218 description
219 "HMAC-SHA2-256-ETM@OPENSSH.COM";
220 reference
221 "OpenSSH PROTOCOL:
222 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
223 }
224
225 identity openssh-hmac-sha2-512-etm {
226 base sshma:mac-alg-base;
227 description
228 "HMAC-SHA2-512-ETM@OPENSSH.COM";
229 reference
230 "OpenSSH PROTOCOL:
231 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
232 }
233
234 identity openssh-hmac-sha1-etm {
235 base sshma:mac-alg-base;
236 description
237 "HMAC-SHA1-ETM@OPENSSH.COM";
238 reference
239 "OpenSSH PROTOCOL:
240 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
241 }
242
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]243 grouping ssh-authentication-params-grouping {
244 description
245 "Grouping for SSH authentication parameters.";
246
247 leaf auth-attempts {
248 type uint16;
249 default 3;
250 description
251 "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
252 }
253
254 leaf auth-timeout {
255 type uint16;
256 default 30;
257 units "seconds";
258 description
259 "Represents the maximum amount of seconds an authentication can go on for.";
260 }
261 }
262
263 grouping keyboard-interactive-grouping {
264 description
265 "Grouping for the SSH Keyboard interactive authentication method.";
266
267 container keyboard-interactive {
romanc6518422023-11-30 16:39:00 +0100[diff] [blame^]268 presence "Indicates that the given client supports the SSH Keyboard Interactive authentication method.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]269 description
270 "Keyboard interactive SSH authentication method.";
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]271
272 reference
273 "RFC 4256:
274 Generic Message Exchange Authentication for
275 the Secure Shell Protocol (SSH)";
romanc6518422023-11-30 16:39:00 +0100[diff] [blame^]276
277 choice method {
278 mandatory true;
279 description
280 "Method to perform the authentication with.";
281
282 container use-system-auth {
283 presence
284 "Indicates that the system will handle the authentication.";
285
286 description
287 "Authentication is done using the system's mechanisms.";
288 }
289 }
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]290 }
291 }
292
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]293 grouping endpoint-reference-grouping {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]294 description
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]295 "Grouping for the endpoint reference.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]296
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]297 leaf endpoint-reference {
298 type leafref {
299 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]300 }
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]301 description
302 "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
303 If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
304 using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
305 references another endpoint, the authentication will be tried again. However, this time
306 using the referenced endpoint's mechanisms. The references can be
307 multiple, however there must not be a cycle.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]308 }
309 }
310
311 grouping certificate-revocation-list-grouping {
312 description
313 "A grouping for the Certificate Revocation List, which is used
314 to authenticate clients or to deny access for certain certificates.
315 The given Certificate Revocation List must be PEM or DER encoded.";
316
317 reference
318 "RFC 5280:
319 Internet X.509 Public Key Infrastructure Certificate
320 and Certificate Revocation List (CRL) Profile";
321
322 choice certificate-revocation-list {
323 leaf crl-url {
324 type string;
325 description
326 "An URL from which the Certificate Revocation List will be
327 downloaded and used. The HTTP protocol works, but other
328 protocols, such as FTP, may work as well.";
329 }
330
331 leaf crl-path {
332 type string;
333 description
334 "A path to a Certificate Revocation List file.";
335 }
336
337 leaf crl-cert-ext {
338 type empty;
339 description
340 "Indicates that the Certificate Revocation List
341 Distribution Points extension will be used to fetch
342 Certificate Revocation Lists from. This will be done
343 for all the configured Certificate Authority certificates.";
344
345 reference
346 "RFC 5280:
347 Internet X.509 Public Key Infrastructure Certificate
348 and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
349 }
350 }
351 }
352
romaneaf84c72023-10-19 14:38:05 +0200[diff] [blame]353 augment "/ncs:netconf-server" {
354 leaf hello-timeout {
355 type uint16;
356 default 60;
357 description
358 "Represents the maximum number of seconds the server will wait for receiving a hello message.";
359 }
360 }
361
362 augment "/ncs:netconf-server" {
363 leaf idle-timeout {
364 type uint16;
365 default 0;
366 description
367 "Represents the maximum number of seconds a NETCONF session may remain idle. The value of 0 represents indefinitely.";
368 }
369 }
370
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]371 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh" +
372 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]373 uses ssh-authentication-params-grouping;
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]374 }
375
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]376 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
377 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]378 uses ssh-authentication-params-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]379 }
380
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]381 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh" +
382 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]383 uses keyboard-interactive-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]384 }
385
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]386 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
387 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]388 uses keyboard-interactive-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]389 }
390
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]391 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh" +
392 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]393 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]394 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]395
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]396 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
397 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]398 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]399 }
400
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]401 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls" +
402 "/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]403 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]404 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]405
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]406 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
407 "/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]408 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]409 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]410
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]411 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls" +
412 "/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]413 uses certificate-revocation-list-grouping;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]414 }
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]415
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]416 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
417 "/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]418 uses certificate-revocation-list-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]419 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]420}