module ietf-ssh-common {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
prefix sshcmn;
import ietf-crypto-types {
prefix ct;
reference
"RFC 9640: YANG Data Types and Groupings for Cryptography";
}
import ietf-keystore {
prefix ks;
reference
"RFC 9642: A YANG Data Model for a Keystore";
}
import iana-ssh-encryption-algs {
prefix sshea;
reference
"RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
import iana-ssh-key-exchange-algs {
prefix sshkea;
reference
"RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
import iana-ssh-mac-algs {
prefix sshma;
reference
"RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
import iana-ssh-public-key-algs {
prefix sshpka;
reference
"RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
WG List: NETCONF WG list <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Gary Wu <mailto:garywu@cisco.com>";
description
"This module defines common features and groupings for
Secure Shell (SSH).
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2024 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 9644
(https://www.rfc-editor.org/info/rfc9644); see the RFC
itself for full legal notices.";
revision 2024-10-10 {
description
"Initial version.";
reference
"RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
// Features
feature ssh-x509-certs {
description
"X.509v3 certificates are supported for SSH.";
reference
"RFC 6187: X.509v3 Certificates for Secure Shell
Authentication";
}
feature transport-params {
description
"SSH transport layer parameters are configurable.";
}
feature asymmetric-key-pair-generation {
description
"Indicates that the server implements the
'generate-asymmetric-key-pair' RPC.";
}
feature algorithm-discovery {
description
"Indicates that the server implements the
'supported-algorithms' container.";
}
// Typedefs
typedef ssh-public-key-algorithm {
type union {
type sshpka:ssh-public-key-algorithm;
type string {
length "1..64" {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC
4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
pattern '.*@.*' {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC
4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
}
}
description
"A type that enables the public key algorithm to be
either an IANA-maintained public key algorithm in
the 'iana-ssh-public-key-algs' YANG module (RFC 9644)
or a locally defined algorithm, per Section 4.6.1
of RFC 4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers
RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
typedef ssh-key-exchange-algorithm {
type union {
type sshkea:ssh-key-exchange-algorithm;
type string {
length "1..64" {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC 4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
pattern '.*@.*' {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC 4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
}
}
description
"A type that enables the key exchange algorithm to be
either an IANA-maintained key exchange algorithm in
the 'iana-ssh-key-exchange-algs' YANG module (RFC 9644)
or a locally defined algorithm, per Section 4.6.1
of RFC 4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers
RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
typedef ssh-encryption-algorithm {
type union {
type sshea:ssh-encryption-algorithm;
type string {
length "1..64" {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC
4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
pattern '.*@.*' {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC
4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
}
}
description
"A type that enables the encryption algorithm to be
either an IANA-maintained encryption algorithm in
the 'iana-ssh-encryption-algs' YANG module (RFC 9644)
or a locally defined algorithm, per Section 4.6.1
of RFC 4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers
RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
typedef ssh-mac-algorithm {
type union {
type sshma:ssh-mac-algorithm;
type string {
length "1..64" {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC
4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
pattern '.*@.*' {
description
"Non-IANA-maintained algorithms must include the
at sign (@) in them, per Section 4.6.1 of RFC
4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned
Numbers";
}
}
}
description
"A type that enables the message authentication code (MAC)
algorithm to be either an IANA-maintained MAC algorithm
in the 'iana-ssh-mac-algs' YANG module (RFC 9644)
or a locally defined algorithm, per Section 4.6.1
of RFC 4250.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers
RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
// Groupings
grouping transport-params-grouping {
description
"A reusable grouping for SSH transport parameters.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
container host-key {
description
"Parameters regarding host key.";
leaf-list host-key-alg {
type ssh-public-key-algorithm;
ordered-by user;
description
"Acceptable host key algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero
elements), the acceptable host key algorithms are
implementation-defined.";
reference
"RFC 9644: YANG Groupings for SSH Clients and SSH Servers";
}
}
container key-exchange {
description
"Parameters regarding key exchange.";
leaf-list key-exchange-alg {
type ssh-key-exchange-algorithm;
ordered-by user;
description
"Acceptable key exchange algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero
elements), the acceptable key exchange algorithms are
implementation-defined.";
}
}
container encryption {
description
"Parameters regarding encryption.";
leaf-list encryption-alg {
type ssh-encryption-algorithm;
ordered-by user;
description
"Acceptable encryption algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero
elements), the acceptable encryption algorithms are
implementation-defined.";
}
}
container mac {
description
"Parameters regarding message authentication code (MAC).";
leaf-list mac-alg {
type ssh-mac-algorithm;
ordered-by user;
description
"Acceptable MAC algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero
elements), the acceptable MAC algorithms are
implementation-defined.";
}
}
}
// Protocol-accessible Nodes
container supported-algorithms {
if-feature "algorithm-discovery";
config false;
description
"Identifies all of the supported algorithms.";
container public-key-algorithms {
description
"A container for a list of public key algorithms
supported by the server.";
leaf-list supported-algorithm {
type ssh-public-key-algorithm;
description
"A public key algorithm supported by the server.";
}
}
container encryption-algorithms {
description
"A container for a list of encryption algorithms
supported by the server.";
leaf-list supported-algorithm {
type ssh-encryption-algorithm;
description
"An encryption algorithm supported by the server.";
}
}
container key-exchange-algorithms {
config false;
description
"A container for a list of key exchange algorithms
supported by the server.";
leaf-list supported-algorithm {
type ssh-key-exchange-algorithm;
description
"A key exchange algorithm supported by the server.";
}
}
container mac-algorithms {
config false;
description
"A container for a list of MAC algorithms
supported by the server.";
leaf-list supported-algorithm {
type ssh-mac-algorithm;
description
"A MAC algorithm supported by the server.";
}
}
}
rpc generate-asymmetric-key-pair {
if-feature "asymmetric-key-pair-generation";
description
"Requests the device to generate a public key using
the specified key algorithm.";
input {
leaf algorithm {
type ssh-public-key-algorithm;
mandatory true;
description
"The algorithm to be used when generating the key.";
}
leaf num-bits {
type uint16;
description
"Specifies the number of bits in the key to create.
For RSA keys, the minimum size is 1024 bits and
the default is 3072 bits. Generally, 3072 bits is
considered sufficient. DSA keys must be exactly 1024
bits, as specified by FIPS 186-5. For Elliptic Curve
Digital Signature Algorithm (ECDSA) keys, the
'num-bits' value determines the key length by selecting
from one of three elliptic curve sizes: 256, 384, or
521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519, and Ed25519-SK keys have a fixed length, and
thus, the 'num-bits' value is not specified.";
reference
"FIPS 186-5: Digital Signature Standard (DSS)";
}
container private-key-encoding {
description
"Indicates how the private key is to be encoded.";
choice private-key-encoding {
mandatory true;
description
"A choice amongst optional private key handling.";
case cleartext {
if-feature "ct:cleartext-private-keys";
leaf cleartext {
type empty;
description
"Indicates that the private key is to be returned
as a cleartext value.";
}
}
case encrypted {
if-feature "ct:encrypted-private-keys";
container encrypted {
description
"Indicates that the private key is to be encrypted
using the specified symmetric or asymmetric key.";
uses ks:encrypted-by-grouping;
}
}
case hidden {
if-feature "ct:hidden-private-keys";
leaf hidden {
type empty;
description
"Indicates that the private key is to be hidden.
Unlike the 'cleartext' and 'encrypt' options, the
key returned is a placeholder for an internally
stored key. See the 'Support for Built-in Keys'
section in RFC 9642 for information about hidden
keys.
It is expected that the server will instantiate
the hidden key in the same location where built-in
keys are located. Rather than returning the key,
just the key's location is returned in the output.";
}
}
}
}
}
output {
choice key-or-hidden {
case key {
uses ct:asymmetric-key-pair-grouping;
}
case hidden {
leaf location {
type instance-identifier;
description
"The location to where a hidden key was created.";
}
}
description
"The output can be either a key (for cleartext and
encrypted keys) or the location to where the key
was created (for hidden keys).";
}
}
} // end generate-asymmetric-key-pair
}