Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / e9cc12ceb49dd22b55051da758b7497a5e7fa635 / . / modules / libnetconf2-netconf-server@2023-09-07.yang
blob: 6fb4b0f98a63dc1b1f0d228bb3d98d18e0defc4a [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module libnetconf2-netconf-server {
2 yang-version 1.1;
3 namespace "urn:cesnet:libnetconf2-netconf-server";
4 prefix np2;
5
6 import ietf-netconf-server {
7 prefix ncs;
8 }
9
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]10 import ietf-crypto-types {
11 prefix ct;
12 }
13
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]14 import iana-ssh-public-key-algs {
15 prefix sshpka;
16 }
17
18 import iana-ssh-key-exchange-algs {
19 prefix sshkea;
20 }
21
22 import iana-ssh-encryption-algs {
23 prefix sshea;
24 }
25
26 import iana-ssh-mac-algs {
27 prefix sshma;
28 }
29
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]30 import ietf-tls-server {
31 prefix tlss;
32 }
33
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]34 revision "2023-09-07" {
35 description "Initial revision.";
36 }
37
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]38 /*
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]39 identity ed25519-private-key-format {
40 base ct:private-key-format;
roman466719d2023-05-05 16:14:37 +0200[diff] [blame]41 description
42 "This identity would indicate that the
43 private key is encoded in a ED25519PrivateKey
44 format. However no such format is currently
45 standardized or even exists.
46
47 If you wish to use a private key that uses
48 an ED25519 algorithm, you need to pick either
49 the private-key-info-format or
50 openssh-private-key-format identity.";
51 }
52*/
53
54 identity private-key-info-format {
55 base ct:private-key-format;
56 description
57 "Indicates that the private key is encoded
58 as a PrivateKeyInfo structure (from RFC 5208).
59
60 The expected header of the private key:
61 -----BEGIN PRIVATE KEY-----
62 The expected footer of the private key:
63 -----END PRIVATE KEY-----
64
65 Supported private key algorithms to use with
66 this format are: RSA, EC and ED25519.
67
68 Commonly used public key format for this
69 type of private key is represented by the
70 SubjectPublicKeyInfo identity.";
71
72 reference
73 "RFC 5208: PKCS #8: Private-Key Information
74 Syntax Specification Version 1.2";
75 }
76
77 identity openssh-private-key-format {
78 base ct:private-key-format;
79 description
80 "Indicates that the private key is encoded
81 in the OpenSSH format.
82
83 The expected header of the private key:
84 -----BEGIN OPENSSH PRIVATE KEY-----
85 The expected footer of the private key:
86 -----END OPENSSH PRIVATE KEY-----
87
88 Supported private key algorithms to use with
89 this format are: RSA, EC and ED25519.
90
91 Commonly used public key format for this
92 type of private key is either the
93 SSH2 public key format (from RFC 4716)
94 or the Public key format defined in RFC 4253,
95 Section 6.6.";
96
97 reference
98 "The OpenSSH Private Key Format:
99 https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
100
101 RFC 4716:
102 The Secure Shell (SSH) Public Key File Format
103
104 RFC 4253:
105 The Secure Shell (SSH) Transport Layer Protocol";
roman44600f42023-04-28 15:54:27 +0200[diff] [blame]106 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]107
romana6bf6ab2023-05-26 13:26:02 +0200[diff] [blame]108 identity openssh-ssh-ed25519-cert-v01 {
109 base sshpka:public-key-alg-base;
110 description
111 "SSH-ED25519-CERT-V01@OPENSSH.COM";
112 reference
113 "OpenSSH PROTOCOL.certkeys:
114 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
115 }
116
117 identity openssh-ecdsa-sha2-nistp521-cert-v01 {
118 base sshpka:public-key-alg-base;
119 description
120 "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
121 reference
122 "OpenSSH PROTOCOL.certkeys:
123 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
124 }
125
126 identity openssh-ecdsa-sha2-nistp384-cert-v01 {
127 base sshpka:public-key-alg-base;
128 description
129 "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
130 reference
131 "OpenSSH PROTOCOL.certkeys:
132 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
133 }
134
135 identity openssh-ecdsa-sha2-nistp256-cert-v01 {
136 base sshpka:public-key-alg-base;
137 description
138 "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
139 reference
140 "OpenSSH PROTOCOL.certkeys:
141 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
142 }
143
144 identity openssh-rsa-sha2-512-cert-v01 {
145 base sshpka:public-key-alg-base;
146 description
147 "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
148 reference
149 "OpenSSH PROTOCOL.certkeys:
150 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
151 }
152
153 identity openssh-rsa-sha2-256-cert-v01 {
154 base sshpka:public-key-alg-base;
155 description
156 "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
157 reference
158 "OpenSSH PROTOCOL.certkeys:
159 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
160 }
161
162 identity openssh-ssh-rsa-cert-v01 {
163 base sshpka:public-key-alg-base;
164 description
165 "SSH-RSA-CERT-V01@OPENSSH.COM";
166 reference
167 "OpenSSH PROTOCOL.certkeys:
168 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
169 }
170
171 identity openssh-ssh-dss-cert-v01 {
172 base sshpka:public-key-alg-base;
173 description
174 "SSH-DSS-CERT-V01@OPENSSH.COM";
175 reference
176 "OpenSSH PROTOCOL.certkeys:
177 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
178 }
179
180 identity libssh-curve25519-sha256 {
181 base sshkea:key-exchange-alg-base;
182 description
183 "CURVE25519-SHA256@LIBSSH.ORG";
184 reference
185 "curve25519-sha256@libssh.org specification:
186 https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
187 }
188
189 identity openssh-chacha20-poly1305 {
190 base sshea:encryption-alg-base;
191 description
192 "CHACHA20-POLY1305@OPENSSH.COM";
193 reference
194 "OpenSSH PROTOCOL.chacha20poly1305:
195 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
196 }
197
198 identity openssh-aes256-gcm {
199 base sshea:encryption-alg-base;
200 description
201 "AES256-GCM@OPENSSH.COM";
202 reference
203 "OpenSSH PROTOCOL, Section 1.6:
204 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
205 }
206
207 identity openssh-aes128-gcm {
208 base sshea:encryption-alg-base;
209 description
210 "AES128-GCM@OPENSSH.COM";
211 reference
212 "OpenSSH PROTOCOL, Section 1.6:
213 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
214 }
215
216 identity openssh-hmac-sha2-256-etm {
217 base sshma:mac-alg-base;
218 description
219 "HMAC-SHA2-256-ETM@OPENSSH.COM";
220 reference
221 "OpenSSH PROTOCOL:
222 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
223 }
224
225 identity openssh-hmac-sha2-512-etm {
226 base sshma:mac-alg-base;
227 description
228 "HMAC-SHA2-512-ETM@OPENSSH.COM";
229 reference
230 "OpenSSH PROTOCOL:
231 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
232 }
233
234 identity openssh-hmac-sha1-etm {
235 base sshma:mac-alg-base;
236 description
237 "HMAC-SHA1-ETM@OPENSSH.COM";
238 reference
239 "OpenSSH PROTOCOL:
240 https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
241 }
242
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]243 grouping ssh-authentication-params-grouping {
244 description
245 "Grouping for SSH authentication parameters.";
246
247 leaf auth-attempts {
248 type uint16;
249 default 3;
250 description
251 "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
252 }
253
254 leaf auth-timeout {
255 type uint16;
256 default 30;
257 units "seconds";
258 description
259 "Represents the maximum amount of seconds an authentication can go on for.";
260 }
261 }
262
263 grouping keyboard-interactive-grouping {
264 description
265 "Grouping for the SSH Keyboard interactive authentication method.";
266
267 container keyboard-interactive {
268 presence "Indicates that PAM configuration file name has been configured.
269 This statement is present so the mandatory descendant
270 nodes do not imply that this node must be
271 configured.";
272 description
273 "Keyboard interactive SSH authentication method.";
274 leaf pam-config-file-name {
275 type string;
276 mandatory true;
277 }
278 leaf pam-config-file-dir {
279 type string;
280 }
281 }
282 }
283
284 grouping endpoint-auth-reference-grouping {
285 description
286 "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
287 If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
288 using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
289 references another endpoint, the authentication will be tried again. However, this time
290 using the referenced endpoint's mechanisms. The references can be
291 multiple, however there must not be a cycle.";
292
293 leaf endpoint-client-auth {
294 type union {
295 type leafref {
296 path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
297 }
298 type leafref {
299 path "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:name";
300 }
301 }
302 }
303 }
304
305 grouping certificate-revocation-list-grouping {
306 description
307 "A grouping for the Certificate Revocation List, which is used
308 to authenticate clients or to deny access for certain certificates.
309 The given Certificate Revocation List must be PEM or DER encoded.";
310
311 reference
312 "RFC 5280:
313 Internet X.509 Public Key Infrastructure Certificate
314 and Certificate Revocation List (CRL) Profile";
315
316 choice certificate-revocation-list {
317 leaf crl-url {
318 type string;
319 description
320 "An URL from which the Certificate Revocation List will be
321 downloaded and used. The HTTP protocol works, but other
322 protocols, such as FTP, may work as well.";
323 }
324
325 leaf crl-path {
326 type string;
327 description
328 "A path to a Certificate Revocation List file.";
329 }
330
331 leaf crl-cert-ext {
332 type empty;
333 description
334 "Indicates that the Certificate Revocation List
335 Distribution Points extension will be used to fetch
336 Certificate Revocation Lists from. This will be done
337 for all the configured Certificate Authority certificates.";
338
339 reference
340 "RFC 5280:
341 Internet X.509 Public Key Infrastructure Certificate
342 and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
343 }
344 }
345 }
346
romaneaf84c72023-10-19 14:38:05 +0200[diff] [blame]347 augment "/ncs:netconf-server" {
348 leaf hello-timeout {
349 type uint16;
350 default 60;
351 description
352 "Represents the maximum number of seconds the server will wait for receiving a hello message.";
353 }
354 }
355
356 augment "/ncs:netconf-server" {
357 leaf idle-timeout {
358 type uint16;
359 default 0;
360 description
361 "Represents the maximum number of seconds a NETCONF session may remain idle. The value of 0 represents indefinitely.";
362 }
363 }
364
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]365 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]366 uses ssh-authentication-params-grouping;
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]367 }
368
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]369 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
370 uses ssh-authentication-params-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]371 }
372
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]373 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
374 uses keyboard-interactive-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]375 }
376
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]377 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
378 uses keyboard-interactive-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]379 }
380
381 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport" {
382 case unix-socket {
383 container unix-socket {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]384 description
385 "Defines a new transport called UNIX socket.";
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]386 leaf path {
387 type string;
388 mandatory true;
389 }
390 leaf mode {
roman3e21b0e2023-09-14 10:03:40 +0200[diff] [blame]391 type string {
392 pattern '[0124567]{3}';
393 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]394 }
395 leaf uid {
396 type uint16;
397 }
398 leaf gid {
399 type uint16;
400 }
401 }
402 }
403 }
404
405 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]406 uses endpoint-auth-reference-grouping;
407 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]408
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]409 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
410 uses endpoint-auth-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]411 }
412
413 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]414 uses endpoint-auth-reference-grouping;
415 }
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]416
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]417 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
418 uses endpoint-auth-reference-grouping;
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]419 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]420
421 augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]422 uses certificate-revocation-list-grouping;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]423 }
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]424
romane9cc12c2023-10-26 15:07:41 +0200[diff] [blame^]425 augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
426 uses certificate-revocation-list-grouping;
romanc1732ce2023-07-24 11:03:52 +0200[diff] [blame]427 }
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]428}