netconfcentral logo

ietf-ssh-server@2017-10-30



  module ietf-ssh-server {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-ssh-server";

    prefix sshs;

    import ietf-ssh-common {
      prefix sshcmn;
      revision-date "2017-10-30";
      reference
        "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";


    }
    import ietf-keystore {
      prefix ks;
      reference
        "RFC YYYY: Keystore Model";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
    WG List:  <mailto:netconf@ietf.org>

    Author:   Kent Watsen
              <mailto:kwatsen@juniper.net>
    Author:   Gary Wu
              <mailto:garywu@cisco.com>";

    description
      "This module defines a reusable grouping for a SSH server that
    can be used as a basis for specific SSH server instances.

    Copyright (c) 2017 IETF Trust and the persons identified as
    authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD
    License set forth in Section 4.c of the IETF Trust's
    Legal Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC XXXX; see
    the RFC itself for full legal notices.";

    revision "2017-10-30" {
      description "Initial version";
      reference
        "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";

    }


    feature ssh-server-transport-params-config {
      description
        "SSH transport layer parameters are configurable on an SSH
       server.";
    }

    grouping ssh-server-grouping {
      description
        "A reusable grouping for configuring a SSH server without
       any consideration for how underlying TCP sessions are
       established.";
      container server-identity {
        description
          "The list of host-keys the SSH server will present when
         establishing a SSH connection.";
        list host-key {
          key "name";
          min-elements 1;
          ordered-by user;
          description
            "An ordered list of host keys the SSH server will use to
           construct its ordered list of algorithms, when sending
           its SSH_MSG_KEXINIT message, as defined in Section 7.1
           of RFC 4253.";
          reference
            "RFC 4253: The Secure Shell (SSH) Transport Layer
            	  Protocol";

          leaf name {
            type string;
            description
              "An arbitrary name for this host-key";
          }

          choice host-key-type {
            mandatory true;
            description
              "The type of host key being specified";
            container public-key {
              description
                "The SSH server uses a public-key for its host key.";
              uses ks:private-key-grouping;
            }  // container public-key
            container certificate {
              if-feature sshcmn:ssh-x509-certs;
              description
                "The SSH server uses a certificate for its host key.";
              uses ks:private-key-grouping;

              uses ks:certificate-grouping;
            }  // container certificate
          }  // choice host-key-type
        }  // list host-key
      }  // container server-identity

      container client-cert-auth {
        if-feature sshcmn:ssh-x509-certs;
        description
          "A reference to a list of pinned certificate authority (CA)
         certificates and a reference to a list of pinned client
         certificates.";
        leaf pinned-ca-certs {
          type ks:pinned-certificates;
          description
            "A reference to a list of certificate authority (CA)
           certificates used by the SSH server to authenticate
           SSH client certificates.  A client certificate is
           authenticated if it has a valid chain of trust to
           a configured pinned CA certificate.";
        }

        leaf pinned-client-certs {
          type ks:pinned-certificates;
          description
            "A reference to a list of client certificates used by
           the SSH server to authenticate SSH client certificates.
           A clients certificate is authenticated if it is an
           exact match to a configured pinned client certificate.";
        }
      }  // container client-cert-auth

      container transport-params {
        if-feature ssh-server-transport-params-config;
        description
          "Configurable parameters of the SSH transport layer.";
        uses sshcmn:transport-params-grouping;
      }  // container transport-params
    }  // grouping ssh-server-grouping
  }  // module ietf-ssh-server