Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / cea87ba5c0a649736da580cef3240b6b5ce96ead / . / modules / libnetconf2-netconf-server@2024-01-15.yang
blob: 9023188017b0c6492e4822ecdf906e2ba8011c53 [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]30 import ietf-tls-server {
31 prefix tlss;
32 }
33
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]34 revision "2024-01-15" {
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]35 description "Initial revision.";
36 }
37
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]38 /*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]39 identity ed25519-private-key-format {
40 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]41 description
42 "This identity would indicate that the
43 private key is encoded in a ED25519PrivateKey
44 format. However no such format is currently
45 standardized or even exists.
46
47 If you wish to use a private key that uses
48 an ED25519 algorithm, you need to pick either
49 the private-key-info-format or
50 openssh-private-key-format identity.";
51 }
52*/
53
54 identity private-key-info-format {
55 base ct:private-key-format;
56 description
57 "Indicates that the private key is encoded
58 as a PrivateKeyInfo structure (from RFC 5208).
59
60 The expected header of the private key:
61 -----BEGIN PRIVATE KEY-----
62 The expected footer of the private key:
63 -----END PRIVATE KEY-----
64
65 Supported private key algorithms to use with
66 this format are: RSA, EC and ED25519.
67
68 Commonly used public key format for this
69 type of private key is represented by the
70 SubjectPublicKeyInfo identity.";
71
72 reference
73 "RFC 5208: PKCS #8: Private-Key Information
74 Syntax Specification Version 1.2";
75 }
76
77 identity openssh-private-key-format {
78 base ct:private-key-format;
79 description
80 "Indicates that the private key is encoded
81 in the OpenSSH format.
82
83 The expected header of the private key:
84 -----BEGIN OPENSSH PRIVATE KEY-----
85 The expected footer of the private key:
86 -----END OPENSSH PRIVATE KEY-----
87
88 Supported private key algorithms to use with
89 this format are: RSA, EC and ED25519.
90
91 Commonly used public key format for this
92 type of private key is either the
93 SSH2 public key format (from RFC 4716)
94 or the Public key format defined in RFC 4253,
95 Section 6.6.";
96
97 reference
98 "The OpenSSH Private Key Format:
99 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
100
101 RFC 4716:
102 The Secure Shell (SSH) Public Key File Format
103
104 RFC 4253:
105 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]106 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]107
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]108 identity openssh-ssh-ed25519-cert-v01 {
109 base sshpka:public-key-alg-base;
110 description
111 "SSH-ED25519-CERT-V01@OPENSSH.COM";
112 reference
113 "OpenSSH PROTOCOL.certkeys:
114 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
115 }
116
117 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
118 base sshpka:public-key-alg-base;
119 description
120 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
121 reference
122 "OpenSSH PROTOCOL.certkeys:
123 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
124 }
125
126 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
127 base sshpka:public-key-alg-base;
128 description
129 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
130 reference
131 "OpenSSH PROTOCOL.certkeys:
132 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
133 }
134
135 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
136 base sshpka:public-key-alg-base;
137 description
138 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
139 reference
140 "OpenSSH PROTOCOL.certkeys:
141 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
142 }
143
144 identity openssh-rsa-sha2-512-cert-v01 {
145 base sshpka:public-key-alg-base;
146 description
147 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
148 reference
149 "OpenSSH PROTOCOL.certkeys:
150 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
151 }
152
153 identity openssh-rsa-sha2-256-cert-v01 {
154 base sshpka:public-key-alg-base;
155 description
156 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
157 reference
158 "OpenSSH PROTOCOL.certkeys:
159 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
160 }
161
162 identity openssh-ssh-rsa-cert-v01 {
163 base sshpka:public-key-alg-base;
164 description
165 "SSH-RSA-CERT-V01@OPENSSH.COM";
166 reference
167 "OpenSSH PROTOCOL.certkeys:
168 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
169 }
170
171 identity openssh-ssh-dss-cert-v01 {
172 base sshpka:public-key-alg-base;
173 description
174 "SSH-DSS-CERT-V01@OPENSSH.COM";
175 reference
176 "OpenSSH PROTOCOL.certkeys:
177 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
178 }
179
180 identity libssh-curve25519-sha256 {
181 base sshkea:key-exchange-alg-base;
182 description
183 "CURVE25519-SHA256@LIBSSH.ORG";
184 reference
185 "curve25519-sha256@libssh.org specification:
186 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
187 }
188
189 identity openssh-chacha20-poly1305 {
190 base sshea:encryption-alg-base;
191 description
192 "CHACHA20-POLY1305@OPENSSH.COM";
193 reference
194 "OpenSSH PROTOCOL.chacha20poly1305:
195 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
196 }
197
198 identity openssh-aes256-gcm {
199 base sshea:encryption-alg-base;
200 description
201 "AES256-GCM@OPENSSH.COM";
202 reference
203 "OpenSSH PROTOCOL, Section 1.6:
204 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
205 }
206
207 identity openssh-aes128-gcm {
208 base sshea:encryption-alg-base;
209 description
210 "AES128-GCM@OPENSSH.COM";
211 reference
212 "OpenSSH PROTOCOL, Section 1.6:
213 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
214 }
215
216 identity openssh-hmac-sha2-256-etm {
217 base sshma:mac-alg-base;
218 description
219 "HMAC-SHA2-256-ETM@OPENSSH.COM";
220 reference
221 "OpenSSH PROTOCOL:
222 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
223 }
224
225 identity openssh-hmac-sha2-512-etm {
226 base sshma:mac-alg-base;
227 description
228 "HMAC-SHA2-512-ETM@OPENSSH.COM";
229 reference
230 "OpenSSH PROTOCOL:
231 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
232 }
233
234 identity openssh-hmac-sha1-etm {
235 base sshma:mac-alg-base;
236 description
237 "HMAC-SHA1-ETM@OPENSSH.COM";
238 reference
239 "OpenSSH PROTOCOL:
240 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
241 }
242
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]243 grouping ssh-authentication-params-grouping {
244 description
245 "Grouping for SSH authentication parameters.";
246
247 leaf auth-attempts {
248 type uint16;
249 default 3;
250 description
251 "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
252 }
253
254 leaf auth-timeout {
255 type uint16;
256 default 30;
257 units "seconds";
258 description
259 "Represents the maximum amount of seconds an authentication can go on for.";
260 }
261 }
262
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]263 grouping system-auth-public-keys-grouping {
264 description
265 "Grouping for using the system configured keys in the SSH public key authentication method.";
266
267 container use-system-keys {
romand2db90a2023-12-21 13:18:10 +0100[diff] [blame]268 presence
269 "Indicates that the given user will be authenticated using the system's configured public keys.";
270
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]271 description
272 "Authentication is done using the system's mechanisms.";
romand2db90a2023-12-21 13:18:10 +0100[diff] [blame]273
274 reference
275 "libnetconf2 documentation:
276 Section SSH";
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]277 }
278 }
279
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]280 grouping keyboard-interactive-grouping {
281 description
282 "Grouping for the SSH Keyboard interactive authentication method.";
283
284 container keyboard-interactive {
romanc6518422023-11-30 16:39:00 +0100[diff] [blame]285 presence "Indicates that the given client supports the SSH Keyboard Interactive authentication method.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]286 description
287 "Keyboard interactive SSH authentication method.";
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]288
289 reference
290 "RFC 4256:
291 Generic Message Exchange Authentication for
292 the Secure Shell Protocol (SSH)";
romanc6518422023-11-30 16:39:00 +0100[diff] [blame]293
294 choice method {
295 mandatory true;
296 description
297 "Method to perform the authentication with.";
298
299 container use-system-auth {
300 presence
301 "Indicates that the system will handle the authentication.";
302
303 description
304 "Authentication is done using the system's mechanisms.";
romand2db90a2023-12-21 13:18:10 +0100[diff] [blame]305
306 reference
307 "libnetconf2 documentation:
308 Section SSH";
romanc6518422023-11-30 16:39:00 +0100[diff] [blame]309 }
310 }
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]311 }
312 }
313
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]314 grouping endpoint-reference-grouping {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]315 description
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]316 "Grouping for the endpoint reference.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]317
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]318 leaf endpoint-reference {
319 type leafref {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]320 path "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:name";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]321 }
roman808f3f62023-11-23 16:01:04 +0100[diff] [blame]322 description
323 "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
324 If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
325 using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
326 references another endpoint, the authentication will be tried again. However, this time
327 using the referenced endpoint's mechanisms. The references can be
328 multiple, however there must not be a cycle.";
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]329 }
330 }
331
332 grouping certificate-revocation-list-grouping {
333 description
334 "A grouping for the Certificate Revocation List, which is used
335 to authenticate clients or to deny access for certain certificates.
336 The given Certificate Revocation List must be PEM or DER encoded.";
337
338 reference
339 "RFC 5280:
340 Internet X.509 Public Key Infrastructure Certificate
341 and Certificate Revocation List (CRL) Profile";
342
343 choice certificate-revocation-list {
344 leaf crl-url {
345 type string;
346 description
347 "An URL from which the Certificate Revocation List will be
348 downloaded and used. The HTTP protocol works, but other
349 protocols, such as FTP, may work as well.";
350 }
351
352 leaf crl-path {
353 type string;
354 description
355 "A path to a Certificate Revocation List file.";
356 }
357
358 leaf crl-cert-ext {
359 type empty;
360 description
361 "Indicates that the Certificate Revocation List
362 Distribution Points extension will be used to fetch
363 Certificate Revocation Lists from. This will be done
364 for all the configured Certificate Authority certificates.";
365
366 reference
367 "RFC 5280:
368 Internet X.509 Public Key Infrastructure Certificate
369 and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
370 }
371 }
372 }
373
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]374 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]375 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]376 uses ssh-authentication-params-grouping;
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]377 }
378
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]379 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
380 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]381 uses ssh-authentication-params-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]382 }
383
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]384 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters" +
romana9ec3362023-12-21 10:59:57 +0100[diff] [blame]385 "/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
386 case system-auth-public-keys {
387 uses system-auth-public-keys-grouping;
388 }
389 }
390
391 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
392 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
393 case system-auth-public-keys {
394 uses system-auth-public-keys-grouping;
395 }
396 }
397
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]398 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]399 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]400 uses keyboard-interactive-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]401 }
402
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]403 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
404 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]405 uses keyboard-interactive-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]406 }
407
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]408 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]409 "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]410 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]411 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]412
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]413 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
414 "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]415 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]416 }
417
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]418 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]419 "/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]420 uses endpoint-reference-grouping;
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]421 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]422
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]423 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
424 "/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]425 uses endpoint-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]426 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]427
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]428 augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls" +
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]429 "/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]430 uses certificate-revocation-list-grouping;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]431 }
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]432
roman4e3303c2023-11-23 16:05:11 +0100[diff] [blame]433 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
434 "/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame]435 uses certificate-revocation-list-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]436 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]437}