netconfcentral logo

ietf-ssh-common@2017-10-30



  module ietf-ssh-common {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-ssh-common";

    prefix sshcmn;

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
    WG List:  <mailto:netconf@ietf.org>
    Author:   Kent Watsen
              <mailto:kwatsen@juniper.net>

    Author:   Gary Wu
              <mailto:garywu@cisco.com>";

    description
      "This module defines a common features, identities, and groupings
    for Secure Shell (SSH).

    Copyright (c) 2017 IETF Trust and the persons identified as
    authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD
    License set forth in Section 4.c of the IETF Trust's
    Legal Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC XXXX; see
    the RFC itself for full legal notices.";

    revision "2017-10-30" {
      description "Initial version";
      reference
        "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";

    }


    feature ssh-ecc {
      description
        "Elliptic Curve Cryptography is supported for SSH.";
      reference
        "RFC 5656: Elliptic Curve Algorithm Integration in the
        	  Secure Shell Transport Layer";

    }

    feature ssh-x509-certs {
      description
        "X.509v3 certificates are supported for SSH as per RFC 6187.";
      reference
        "RFC 6187: X.509v3 Certificates for Secure Shell
        	  Authentication";

    }

    feature ssh-dh-group-exchange {
      description
        "Diffie-Hellman Group Exchange is supported for SSH.";
      reference
        "RFC 4419: Diffie-Hellman Group Exchange for the
        	  Secure Shell (SSH) Transport Layer Protocol";

    }

    feature ssh-ctr {
      description
        "SDCTR encryption mode is supported for SSH.";
      reference
        "RFC 4344: The Secure Shell (SSH) Transport Layer
        	  Encryption Modes";

    }

    feature ssh-sha2 {
      description
        "The SHA2 family of cryptographic hash functions is supported
       for SSH.";
      reference
        "FIPS PUB 180-4: Secure Hash Standard (SHS)";

    }

    identity public-key-alg-base {
      base 
      description
        "Base identity used to identify public key algorithms.";
    }

    identity ssh-dss {
      base public-key-alg-base;
      description
        "Digital Signature Algorithm using SHA-1 as the hashing
       algorithm.";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity ssh-rsa {
      base public-key-alg-base;
      description
        "RSASSA-PKCS1-v1_5 signature scheme using SHA-1 as the hashing
       algorithm.";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity ecdsa-sha2-nistp256 {
      base public-key-alg-base;
      description
        "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
       nistp256 curve and the SHA2 family of hashing algorithms.";
      reference
        "RFC 5656: Elliptic Curve Algorithm Integration in the
        	  Secure Shell Transport Layer";

    }

    identity ecdsa-sha2-nistp384 {
      base public-key-alg-base;
      description
        "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
       nistp384 curve and the SHA2 family of hashing algorithms.";
      reference
        "RFC 5656: Elliptic Curve Algorithm Integration in the
        	  Secure Shell Transport Layer";

    }

    identity ecdsa-sha2-nistp521 {
      base public-key-alg-base;
      description
        "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
       nistp521 curve and the SHA2 family of hashing algorithms.";
      reference
        "RFC 5656: Elliptic Curve Algorithm Integration in the
        	  Secure Shell Transport Layer";

    }

    identity x509v3-ssh-rsa {
      base public-key-alg-base;
      description
        "RSASSA-PKCS1-v1_5 signature scheme using a public key stored
       in an X.509v3 certificate and using SHA-1 as the hashing
       algorithm.";
      reference
        "RFC 6187: X.509v3 Certificates for Secure Shell
        	  Authentication";

    }

    identity x509v3-rsa2048-sha256 {
      base public-key-alg-base;
      description
        "RSASSA-PKCS1-v1_5 signature scheme using a public key stored
       in an X.509v3 certificate and using SHA-256 as the hashing
       algorithm.  RSA keys conveyed using this format MUST have a
       modulus of at least 2048 bits.";
      reference
        "RFC 6187: X.509v3 Certificates for Secure Shell
        	  Authentication";

    }

    identity x509v3-ecdsa-sha2-nistp256 {
      base public-key-alg-base;
      description
        "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
       nistp256 curve with a public key stored in an X.509v3
       certificate and using the SHA2 family of hashing algorithms.";
      reference
        "RFC 6187: X.509v3 Certificates for Secure Shell
        	  Authentication";

    }

    identity x509v3-ecdsa-sha2-nistp384 {
      base public-key-alg-base;
      description
        "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
       nistp384 curve with a public key stored in an X.509v3
       certificate and using the SHA2 family of hashing algorithms.";
      reference
        "RFC 6187: X.509v3 Certificates for Secure Shell
        	  Authentication";

    }

    identity x509v3-ecdsa-sha2-nistp521 {
      base public-key-alg-base;
      description
        "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
       nistp521 curve with a public key stored in an X.509v3
       certificate and using the SHA2 family of hashing algorithms.";
      reference
        "RFC 6187: X.509v3 Certificates for Secure Shell
        	  Authentication";

    }

    identity key-exchange-alg-base {
      base 
      description
        "Base identity used to identify key exchange algorithms.";
    }

    identity diffie-hellman-group14-sha1 {
      base key-exchange-alg-base;
      description
        "Diffie-Hellman key exchange with SHA-1 as HASH and
       Oakley Group 14 (2048-bit MODP Group).";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity diffie-hellman-group-exchange-sha1 {
      base key-exchange-alg-base;
      description
        "Diffie-Hellman Group and Key Exchange with SHA-1 as HASH.";
      reference
        "RFC 4419: Diffie-Hellman Group Exchange for the
        	  Secure Shell (SSH) Transport Layer Protocol";

    }

    identity diffie-hellman-group-exchange-sha256 {
      base key-exchange-alg-base;
      description
        "Diffie-Hellman Group and Key Exchange with SHA-256 as HASH.";
      reference
        "RFC 4419: Diffie-Hellman Group Exchange for the
        	  Secure Shell (SSH) Transport Layer Protocol";

    }

    identity ecdh-sha2-nistp256 {
      base key-exchange-alg-base;
      description
        "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
       nistp256 curve and the SHA2 family of hashing algorithms.";
      reference
        "RFC 5656: Elliptic Curve Algorithm Integration in the
        	  Secure Shell Transport Layer";

    }

    identity ecdh-sha2-nistp384 {
      base key-exchange-alg-base;
      description
        "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
       nistp384 curve and the SHA2 family of hashing algorithms.";
      reference
        "RFC 5656: Elliptic Curve Algorithm Integration in the
        	  Secure Shell Transport Layer";

    }

    identity ecdh-sha2-nistp521 {
      base key-exchange-alg-base;
      description
        "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
       nistp521 curve and the SHA2 family of hashing algorithms.";
      reference
        "RFC 5656: Elliptic Curve Algorithm Integration in the
        	  Secure Shell Transport Layer";

    }

    identity encryption-alg-base {
      base 
      description
        "Base identity used to identify encryption algorithms.";
    }

    identity triple-des-cbc {
      base encryption-alg-base;
      description
        "Three-key 3DES in CBC mode.";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity aes128-cbc {
      base encryption-alg-base;
      description
        "AES in CBC mode, with a 128-bit key.";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity aes192-cbc {
      base encryption-alg-base;
      description
        "AES in CBC mode, with a 192-bit key.";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity aes256-cbc {
      base encryption-alg-base;
      description
        "AES in CBC mode, with a 256-bit key.";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity aes128-ctr {
      base encryption-alg-base;
      description
        "AES in SDCTR mode, with 128-bit key.";
      reference
        "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
        	  Modes";

    }

    identity aes192-ctr {
      base encryption-alg-base;
      description
        "AES in SDCTR mode, with 192-bit key.";
      reference
        "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
        	  Modes";

    }

    identity aes256-ctr {
      base encryption-alg-base;
      description
        "AES in SDCTR mode, with 256-bit key.";
      reference
        "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
          Modes";

    }

    identity mac-alg-base {
      base 
      description
        "Base identity used to identify message authentication
       code (MAC) algorithms.";
    }

    identity hmac-sha1 {
      base mac-alg-base;
      description "HMAC-SHA1";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

    }

    identity hmac-sha2-256 {
      base mac-alg-base;
      description "HMAC-SHA2-256";
      reference
        "RFC 6668: SHA-2 Data Integrity Verification for the
        	  Secure Shell (SSH) Transport Layer Protocol";

    }

    identity hmac-sha2-512 {
      base mac-alg-base;
      description "HMAC-SHA2-512";
      reference
        "RFC 6668: SHA-2 Data Integrity Verification for the
        	  Secure Shell (SSH) Transport Layer Protocol";

    }

    grouping transport-params-grouping {
      description
        "A reusable grouping for SSH transport parameters.";
      reference
        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

      container host-key {
        description
          "Parameters regarding host key.";
        leaf-list host-key-alg {
          type identityref {
            base public-key-alg-base;
          }
          ordered-by user;
          description
            "Acceptable host key algorithms in order of descending
           preference.

           If this leaf-list is not configured (has zero elements)
           the acceptable host key algorithms are implementation-
           defined.";
        }
      }  // container host-key

      container key-exchange {
        description
          "Parameters regarding key exchange.";
        leaf-list key-exchange-alg {
          type identityref {
            base key-exchange-alg-base;
          }
          ordered-by user;
          description
            "Acceptable key exchange algorithms in order of descending
           preference.

           If this leaf-list is not configured (has zero elements)
           the acceptable key exchange algorithms are implementation-
           defined.";
        }
      }  // container key-exchange

      container encryption {
        description
          "Parameters regarding encryption.";
        leaf-list encryption-alg {
          type identityref {
            base encryption-alg-base;
          }
          ordered-by user;
          description
            "Acceptable encryption algorithms in order of descending
           preference.

           If this leaf-list is not configured (has zero elements)
           the acceptable encryption algorithms are implementation-
           defined.";
        }
      }  // container encryption

      container mac {
        description
          "Parameters regarding message authentication code (MAC).";
        leaf-list mac-alg {
          type identityref {
            base mac-alg-base;
          }
          ordered-by user;
          description
            "Acceptable MAC algorithms in order of descending
           preference.

           If this leaf-list is not configured (has zero elements)
           the acceptable MAC algorithms are implementation-
           defined.";
        }
      }  // container mac
    }  // grouping transport-params-grouping
  }  // module ietf-ssh-common