module ietf-ssh-client {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client";
prefix sshc;
import ietf-ssh-common {
prefix sshcmn;
revision-date 2019-03-09; // stable grouping definitions
reference
"RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
}
import ietf-trust-anchors {
prefix ta;
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
import ietf-keystore {
prefix ks;
reference
"RFC ZZZZ:
YANG Data Model for a Centralized Keystore Mechanism";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
Author: Gary Wu ";
description
"This module defines reusable groupings for SSH clients that
can be used as a basis for specific SSH client instances.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2019-03-09 {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
}
// Features
feature ssh-client-transport-params-config {
description
"SSH transport layer parameters are configurable on an SSH
client.";
}
feature ssh-client-keepalives {
description
"Per socket SSH keepalive parameters are configurable for
SSH clients on the server implementing this feature.";
}
// Groupings
grouping ssh-client-grouping {
description
"A reusable grouping for configuring a SSH client without
any consideration for how an underlying TCP session is
established.";
uses client-identity-grouping;
uses server-auth-grouping;
uses transport-params-grouping;
uses keepalives-grouping;
}
grouping client-identity-grouping {
description
"A reusable grouping for configuring a SSH client identity.";
container ssh-client-identity {
description
"The credentials used by the client to authenticate to
the SSH server.";
leaf username {
type string;
description
"The username of this user. This will be the username
used, for instance, to log into an SSH server.";
}
choice auth-type {
mandatory true;
description
"The authentication type.";
leaf password {
type string;
description
"A password to be used for client authentication.";
}
container public-key {
uses ks:local-or-keystore-asymmetric-key-grouping;
description
"A locally-defined or referenced asymmetric key pair
to be used for client authentication.";
reference
"RFC ZZZZ:
YANG Data Model for a Centralized Keystore Mechanism";
}
container certificate {
if-feature "sshcmn:ssh-x509-certs";
uses
ks:local-or-keystore-end-entity-cert-with-key-grouping;
description
"A locally-defined or referenced certificate
to be used for client authentication.";
reference
"RFC ZZZZ
YANG Data Model for a Centralized Keystore Mechanism";
}
}
}
}
grouping server-auth-grouping {
description
"A reusable grouping for configuring SSH server
authentication.";
container ssh-server-auth {
must 'pinned-ssh-host-keys or pinned-ca-certs or '
+ 'pinned-server-certs';
description
"Trusted server identities.";
leaf pinned-ssh-host-keys {
if-feature "ta:ssh-host-keys";
type ta:pinned-host-keys-ref;
description
"A reference to a list of SSH host keys used by the
SSH client to authenticate SSH server host keys.
A server host key is authenticated if it is an exact
match to a configured SSH host key.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
leaf pinned-ca-certs {
if-feature "sshcmn:ssh-x509-certs";
if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref;
description
"A reference to a list of certificate authority (CA)
certificates used by the SSH client to authenticate
SSH server certificates. A server certificate is
authenticated if it has a valid chain of trust to
a configured CA certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
leaf pinned-server-certs {
if-feature "sshcmn:ssh-x509-certs";
if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref;
description
"A reference to a list of server certificates used by
the SSH client to authenticate SSH server certificates.
A server certificate is authenticated if it is an
exact match to a configured server certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
}
}
}
grouping transport-params-grouping {
description
"A reusable grouping for configuring a SSH transport
parameters.";
container ssh-transport-params {
if-feature "ssh-client-transport-params-config";
description
"Configurable parameters of the SSH transport layer.";
uses sshcmn:transport-params-grouping;
}
}
grouping keepalives-grouping {
description
"A reusable grouping for configuring SSH client keepalive
parameters.";
container ssh-keepalives {
if-feature "ssh-client-keepalives";
description
"Configures the keep-alive policy, to proactively test the
aliveness of the SSH server. An unresponsive TLS server
is dropped after approximately max-wait * max-attempts
seconds.";
leaf max-wait {
type uint16 {
range "1..max";
}
units "seconds";
default "30";
description
"Sets the amount of time in seconds after which if no data
has been received from the SSH server, a TLS-level message
will be sent to test the aliveness of the SSH server.";
}
leaf max-attempts {
type uint8;
default "3";
description
"Sets the maximum number of sequential keep-alive messages
that can fail to obtain a response from the SSH server
before assuming the SSH server is no longer alive.";
}
}
}
}