netconfcentral logo

ietf-ssh-client@2017-10-30



  module ietf-ssh-client {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-ssh-client";

    prefix sshc;

    import ietf-ssh-common {
      prefix sshcmn;
      revision-date "2017-10-30";
      reference
        "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";


    }
    import ietf-netconf-acm {
      prefix nacm;
      reference
        "RFC 6536: Network Configuration Protocol (NETCONF) Access
        	  Control Model";


    }
    import ietf-keystore {
      prefix ks;
      reference
        "RFC YYYY: Keystore Model";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
    WG List:  <mailto:netconf@ietf.org>

    Author:   Kent Watsen
              <mailto:kwatsen@juniper.net>

    Author:   Gary Wu
              <mailto:garywu@cisco.com>";

    description
      "This module defines a reusable grouping for a SSH client that
    can be used as a basis for specific SSH client instances.

    Copyright (c) 2017 IETF Trust and the persons identified as
    authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD
    License set forth in Section 4.c of the IETF Trust's
    Legal Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC XXXX; see
    the RFC itself for full legal notices.";

    revision "2017-10-30" {
      description "Initial version";
      reference
        "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";

    }


    feature ssh-client-transport-params-config {
      description
        "SSH transport layer parameters are configurable on an SSH
       client.";
    }

    grouping ssh-client-grouping {
      description
        "A reusable grouping for configuring a SSH client without
       any consideration for how an underlying TCP session is
       established.";
      container client-identity {
        description
          "The credentials used by the client to authenticate to
         the SSH server.";
        leaf username {
          type string;
          description
            "The username of this user.  This will be the username
           used, for instance, to log into an SSH server.";
        }

        choice auth-type {
          mandatory true;
          description
            "The authentication type.";
          container certificate {
            if-feature sshcmn:ssh-x509-certs;
            description
              "A certificates to be used for client authentication.";
            uses ks:private-key-grouping;

            uses ks:certificate-grouping;
          }  // container certificate
          container public-key {
            description
              "A public key to be used for client authentication.";
            uses ks:private-key-grouping;
          }  // container public-key
          leaf password {
            nacm:default-deny-all;
            type string;
            description
              "A password to be used for client authentication.";
          }
        }  // choice auth-type
      }  // container client-identity

      container server-auth {
        must
          'pinned-ssh-host-keys or pinned-ca-certs or '
            + 'pinned-server-certs';
        description
          "Trusted server identities.";
        leaf pinned-ssh-host-keys {
          type ks:pinned-host-keys;
          description
            "A reference to a list of SSH host keys used by the
           SSH client to authenticate SSH server host keys.
           A server host key is authenticated if it is an exact
           match to a configured SSH host key.";
        }

        leaf pinned-ca-certs {
          if-feature sshcmn:ssh-x509-certs;
          type ks:pinned-certificates;
          description
            "A reference to a list of certificate authority (CA)
           certificates used by the SSH client to authenticate
           SSH server certificates.  A server certificate is
           authenticated if it has a valid chain of trust to
           a configured CA certificate.";
        }

        leaf pinned-server-certs {
          if-feature sshcmn:ssh-x509-certs;
          type ks:pinned-certificates;
          description
            "A reference to a list of server certificates used by
           the SSH client to authenticate SSH server certificates.
           A server certificate is authenticated if it is an
           exact match to a configured server certificate.";
        }
      }  // container server-auth

      container transport-params {
        if-feature ssh-client-transport-params-config;
        description
          "Configurable parameters of the SSH transport layer.";
        uses sshcmn:transport-params-grouping;
      }  // container transport-params
    }  // grouping ssh-client-grouping
  }  // module ietf-ssh-client