| ietf-ssh-client@2024-03-16.yang | ietf-ssh-client@2024-03-16.formatted.yang | |||
|---|---|---|---|---|
| skipping to change at line 141 ¶ | skipping to change at line 135 ¶ | |||
| established. | established. | |||
| Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
| node names such that a nesting of 'uses' statements will | node names such that a nesting of 'uses' statements will | |||
| have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
| data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
| the 'uses' statement in a container called | the 'uses' statement in a container called | |||
| 'ssh-client-parameters'). This model purposely does | 'ssh-client-parameters'). This model purposely does | |||
| not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
| to consuming models."; | to consuming models."; | |||
| container client-identity { | container client-identity { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| description | description | |||
| "The username and authentication methods for the client. | "The username and authentication methods for the client. | |||
| The authentication methods are unordered. Clients may | The authentication methods are unordered. Clients may | |||
| initially send any configured method or, per Section 5.2 of | initially send any configured method or, per Section 5.2 of | |||
| RFC 4252, send the 'none' method to prompt the server | RFC 4252, send the 'none' method to prompt the server | |||
| to provide a list of productive methods. Whenever a | to provide a list of productive methods. Whenever a | |||
| choice amongst methods arises, implementations SHOULD | choice amongst methods arises, implementations SHOULD | |||
| use a default ordering that prioritizes automation | use a default ordering that prioritizes automation | |||
| over human interaction."; | over human interaction."; | |||
| leaf username { | leaf username { | |||
| type string; | type string; | |||
| description | description | |||
| "The username of this user. This will be the username | "The username of this user. This will be the username | |||
| used, for instance, to log into an SSH server."; | used, for instance, to log into an SSH server."; | |||
| } | } | |||
| container public-key { | container public-key { | |||
| if-feature "client-ident-publickey"; | if-feature "client-ident-publickey"; | |||
| presence | presence "Indicates that public-key-based authentication has been | |||
| "Indicates that public-key-based authentication has been | configured. This statement is present so the mandatory | |||
| configured. This statement is present so the mandatory | descendant nodes do not imply that this node must be | |||
| descendant nodes do not imply that this node must be | configured."; | |||
| configured."; | ||||
| description | description | |||
| "A locally defined or referenced asymmetric key | "A locally defined or referenced asymmetric key | |||
| pair to be used for client identification."; | pair to be used for client identification."; | |||
| reference | reference | |||
| "RFC 9642: A YANG Data Model for a Keystore and Keystore | "RFC 9642: A YANG Data Model for a Keystore and Keystore | |||
| Operations"; | Operations"; | |||
| uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
| refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
| must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
| + '(public-key-format, "ct:ssh-public-key-format")'; | + '(public-key-format, "ct:ssh-public-key-format")'; | |||
| skipping to change at line 187 ¶ | skipping to change at line 179 ¶ | |||
| refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
| + "central-keystore-reference" { | + "central-keystore-reference" { | |||
| must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
| + 'from-or-self(deref(.)/../ks:public-key-format, ' | + 'from-or-self(deref(.)/../ks:public-key-format, ' | |||
| + '"ct:ssh-public-key-format")'; | + '"ct:ssh-public-key-format")'; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| container password { | container password { | |||
| if-feature "client-ident-password"; | if-feature "client-ident-password"; | |||
| presence | presence "Indicates that password-based authentication has been | |||
| "Indicates that password-based authentication has been | configured. This statement is present so the mandatory | |||
| configured. This statement is present so the mandatory | descendant nodes do not imply that this node must be | |||
| descendant nodes do not imply that this node must be | configured."; | |||
| configured."; | ||||
| description | description | |||
| "A password to be used to authenticate the client's | "A password to be used to authenticate the client's | |||
| identity."; | identity."; | |||
| uses ct:password-grouping; | uses ct:password-grouping; | |||
| } | } | |||
| container hostbased { | container hostbased { | |||
| if-feature "client-ident-hostbased"; | if-feature "client-ident-hostbased"; | |||
| presence | presence "Indicates that host-based authentication is configured. | |||
| "Indicates that host-based authentication is configured. | This statement is present so the mandatory descendant | |||
| This statement is present so the mandatory descendant | nodes do not imply that this node must be configured."; | |||
| nodes do not imply that this node must be configured."; | ||||
| description | description | |||
| "A locally defined or referenced asymmetric key | "A locally defined or referenced asymmetric key | |||
| pair to be used for host identification."; | pair to be used for host identification."; | |||
| reference | reference | |||
| "RFC 9642: A YANG Data Model for a Keystore and Keystore | "RFC 9642: A YANG Data Model for a Keystore and Keystore | |||
| Operations"; | Operations"; | |||
| uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
| refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
| must 'not(public-key-format) or derived-from-or-self(' | must 'not(public-key-format) or derived-from-or-self(' | |||
| + 'public-key-format, "ct:ssh-public-key-format")'; | + 'public-key-format, "ct:ssh-public-key-format")'; | |||
| skipping to change at line 231 ¶ | skipping to change at line 221 ¶ | |||
| } | } | |||
| leaf none { | leaf none { | |||
| if-feature "client-ident-none"; | if-feature "client-ident-none"; | |||
| type empty; | type empty; | |||
| description | description | |||
| "Indicates that the 'none' algorithm is used for client | "Indicates that the 'none' algorithm is used for client | |||
| identification."; | identification."; | |||
| } | } | |||
| container certificate { | container certificate { | |||
| if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
| presence | presence "Indicates that certificate-based authentication has been | |||
| "Indicates that certificate-based authentication has been | configured. This statement is present so the mandatory | |||
| configured. This statement is present so the mandatory | descendant nodes do not imply that this node must be | |||
| descendant nodes do not imply that this node must be | configured."; | |||
| configured."; | ||||
| description | description | |||
| "A locally defined or referenced certificate | "A locally defined or referenced certificate | |||
| to be used for client identification."; | to be used for client identification."; | |||
| reference | reference | |||
| "RFC 9642: A YANG Data Model for a Keystore and Keystore | "RFC 9642: A YANG Data Model for a Keystore and Keystore | |||
| Operations"; | Operations"; | |||
| uses | uses ks:inline-or-keystore-end-entity-cert-with-key-grouping { | |||
| ks:inline-or-keystore-end-entity-cert-with-key-grouping { | ||||
| refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
| must 'not(public-key-format) or derived-from-or-self(' | must 'not(public-key-format) or derived-from-or-self(' | |||
| + 'public-key-format, "ct:subject-public-key-info-' | + 'public-key-format, "ct:subject-public-key-info-' | |||
| + 'format")'; | + 'format")'; | |||
| } | } | |||
| refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
| + "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
| must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
| + 'from-or-self(deref(.)/../ks:public-key-format, ' | + 'from-or-self(deref(.)/../ks:public-key-format, ' | |||
| + '"ct:subject-public-key-info-format")'; | + '"ct:subject-public-key-info-format")'; | |||
| skipping to change at line 258 ¶ | skipping to change at line 246 ¶ | |||
| } | } | |||
| refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
| + "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
| must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
| + 'from-or-self(deref(.)/../ks:public-key-format, ' | + 'from-or-self(deref(.)/../ks:public-key-format, ' | |||
| + '"ct:subject-public-key-info-format")'; | + '"ct:subject-public-key-info-format")'; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } // container client-identity | } // container client-identity | |||
| container server-authentication { | container server-authentication { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| must 'ssh-host-keys or ca-certs or ee-certs'; | must 'ssh-host-keys or ca-certs or ee-certs'; | |||
| description | description | |||
| "Specifies how the SSH client can authenticate SSH servers. | "Specifies how the SSH client can authenticate SSH servers. | |||
| Any combination of authentication methods is additive and | Any combination of authentication methods is additive and | |||
| unordered."; | unordered."; | |||
| container ssh-host-keys { | container ssh-host-keys { | |||
| presence | presence "Indicates that the SSH host key have been configured. | |||
| "Indicates that the SSH host key have been configured. | This statement is present so the mandatory descendant | |||
| This statement is present so the mandatory descendant | nodes do not imply that this node must be configured."; | |||
| nodes do not imply that this node must be configured."; | ||||
| description | description | |||
| "A bag of SSH host keys used by the SSH client to | "A bag of SSH host keys used by the SSH client to | |||
| authenticate SSH server host keys. A server host key | authenticate SSH server host keys. A server host key | |||
| is authenticated if it is an exact match to a | is authenticated if it is an exact match to a | |||
| configured SSH host key."; | configured SSH host key."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
| refine | refine "inline-or-truststore/inline/inline-definition/public" | |||
| "inline-or-truststore/inline/inline-definition/public" | + "-key" { | |||
| + "-key" { | ||||
| must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
| + ' "ct:ssh-public-key-format")'; | + ' "ct:ssh-public-key-format")'; | |||
| } | } | |||
| refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
| + "central-truststore-reference" { | + "central-truststore-reference" { | |||
| must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
| + 'format[not(derived-from-or-self(., "ct:ssh-' | + 'format[not(derived-from-or-self(., "ct:ssh-' | |||
| + 'public-key-format"))])'; | + 'public-key-format"))])'; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| container ca-certs { | container ca-certs { | |||
| if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
| presence | presence "Indicates that the CA certificates have been configured. | |||
| "Indicates that the CA certificates have been configured. | This statement is present so the mandatory descendant | |||
| This statement is present so the mandatory descendant | nodes do not imply that this node must be configured."; | |||
| nodes do not imply that this node must be configured."; | ||||
| description | description | |||
| "A set of certificate authority (CA) certificates used by | "A set of certificate authority (CA) certificates used by | |||
| the SSH client to authenticate SSH servers. A server | the SSH client to authenticate SSH servers. A server | |||
| is authenticated if its certificate has a valid chain | is authenticated if its certificate has a valid chain | |||
| of trust to a configured CA certificate."; | of trust to a configured CA certificate."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
| } | } | |||
| container ee-certs { | container ee-certs { | |||
| if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
| presence | presence "Indicates that the EE certificates have been configured. | |||
| "Indicates that the EE certificates have been configured. | This statement is present so the mandatory descendant | |||
| This statement is present so the mandatory descendant | nodes do not imply that this node must be configured."; | |||
| nodes do not imply that this node must be configured."; | ||||
| description | description | |||
| "A set of end-entity (EE) certificates used by the SSH | "A set of end-entity (EE) certificates used by the SSH | |||
| client to authenticate SSH servers. A server is | client to authenticate SSH servers. A server is | |||
| authenticated if its certificate is an exact match to a | authenticated if its certificate is an exact match to a | |||
| configured end-entity certificate."; | configured end-entity certificate."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
| } | } | |||
| } // container server-authentication | } // container server-authentication | |||
| skipping to change at line 324 ¶ | skipping to change at line 307 ¶ | |||
| description | description | |||
| "A set of end-entity (EE) certificates used by the SSH | "A set of end-entity (EE) certificates used by the SSH | |||
| client to authenticate SSH servers. A server is | client to authenticate SSH servers. A server is | |||
| authenticated if its certificate is an exact match to a | authenticated if its certificate is an exact match to a | |||
| configured end-entity certificate."; | configured end-entity certificate."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
| } | } | |||
| } // container server-authentication | } // container server-authentication | |||
| container transport-params { | container transport-params { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| if-feature "sshcmn:transport-params"; | if-feature "sshcmn:transport-params"; | |||
| description | description | |||
| "Configurable parameters of the SSH transport layer."; | "Configurable parameters of the SSH transport layer."; | |||
| uses sshcmn:transport-params-grouping; | uses sshcmn:transport-params-grouping; | |||
| } // container transport-parameters | } // container transport-parameters | |||
| container keepalives { | container keepalives { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| if-feature "ssh-client-keepalives"; | if-feature "ssh-client-keepalives"; | |||
| presence | presence "Indicates that the SSH client proactively tests the | |||
| "Indicates that the SSH client proactively tests the | aliveness of the remote SSH server."; | |||
| aliveness of the remote SSH server."; | ||||
| description | description | |||
| "Configures the keep-alive policy to proactively test | "Configures the keep-alive policy to proactively test | |||
| the aliveness of the SSH server. An unresponsive SSH | the aliveness of the SSH server. An unresponsive SSH | |||
| server is dropped after approximately max-wait * | server is dropped after approximately max-wait * | |||
| max-attempts seconds. Per Section 4 of RFC 4254, | max-attempts seconds. Per Section 4 of RFC 4254, | |||
| the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST | the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST | |||
| message with a purposely nonexistent 'request name' | message with a purposely nonexistent 'request name' | |||
| value (e.g., keepalive@ietf.org) and the 'want reply' | value (e.g., keepalive@ietf.org) and the 'want reply' | |||
| value set to '1'."; | value set to '1'."; | |||
| reference | reference | |||
| End of changes. 14 change blocks. | ||||
| 43 lines changed or deleted | 29 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||