idnits 2.17.1
draft-ietf-netconf-ssh-client-server-04.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 182 has weird spacing: '...gorithm ide...'
== Line 192 has weird spacing: '...request bin...'
== Line 203 has weird spacing: '...gorithm ide...'
== Line 501 has weird spacing: '...gorithm ide...'
== Line 510 has weird spacing: '...gorithm ide...'
== (1 more instance...)
-- The document date (October 30, 2017) is 2370 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-02
** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341)
== Outdated reference: A later version (-06) exists of
draft-ietf-netmod-yang-tree-diagrams-02
Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Juniper Networks
4 Intended status: Standards Track G. Wu
5 Expires: May 3, 2018 Cisco Systems
6 October 30, 2017
8 YANG Groupings for SSH Clients and SSH Servers
9 draft-ietf-netconf-ssh-client-server-04
11 Abstract
13 This document defines three YANG modules: the first defines groupings
14 for a generic SSH client, the second defines groupings for a generic
15 SSH server, and the third defines common identities and groupings
16 used by both the client and the server. It is intended that these
17 groupings will be used by applications using the SSH protocol.
19 Editorial Note (To be removed by RFC Editor)
21 This draft contains many placeholder values that need to be replaced
22 with finalized values at the time of publication. This note
23 summarizes all of the substitutions that are needed. No other RFC
24 Editor instructions are specified elsewhere in this document.
26 This document contains references to other drafts in progress, both
27 in the Normative References section, as well as in body text
28 throughout. Please update the following references to reflect their
29 final RFC assignments:
31 o I-D.ietf-netconf-keystore
33 Artwork in this document contains shorthand references to drafts in
34 progress. Please apply the following replacements:
36 o "XXXX" --> the assigned RFC value for this draft
38 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-keystore
40 Artwork in this document contains placeholder values for the date of
41 publication of this draft. Please apply the following replacement:
43 o "2017-10-30" --> the publication date of this draft
45 The following Appendix section is to be removed prior to publication:
47 o Appendix A. Change Log
49 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
51 Status of This Memo
53 This Internet-Draft is submitted in full conformance with the
54 provisions of BCP 78 and BCP 79.
56 Internet-Drafts are working documents of the Internet Engineering
57 Task Force (IETF). Note that other groups may also distribute
58 working documents as Internet-Drafts. The list of current Internet-
59 Drafts is at https://datatracker.ietf.org/drafts/current/.
61 Internet-Drafts are draft documents valid for a maximum of six months
62 and may be updated, replaced, or obsoleted by other documents at any
63 time. It is inappropriate to use Internet-Drafts as reference
64 material or to cite them other than as "work in progress."
66 This Internet-Draft will expire on May 3, 2018.
68 Copyright Notice
70 Copyright (c) 2017 IETF Trust and the persons identified as the
71 document authors. All rights reserved.
73 This document is subject to BCP 78 and the IETF Trust's Legal
74 Provisions Relating to IETF Documents
75 (https://trustee.ietf.org/license-info) in effect on the date of
76 publication of this document. Please review these documents
77 carefully, as they describe your rights and restrictions with respect
78 to this document. Code Components extracted from this document must
79 include Simplified BSD License text as described in Section 4.e of
80 the Trust Legal Provisions and are provided without warranty as
81 described in the Simplified BSD License.
83 Table of Contents
85 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
86 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
87 3. The SSH Client Model . . . . . . . . . . . . . . . . . . . . 4
88 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
89 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
90 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 6
91 4. The SSH Server Model . . . . . . . . . . . . . . . . . . . . 10
92 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 10
93 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 12
94 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 13
95 5. The SSH Common Model . . . . . . . . . . . . . . . . . . . . 16
96 5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 17
97 5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 17
98 5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 18
100 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
102 6. Security Considerations . . . . . . . . . . . . . . . . . . . 28
103 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
104 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 29
105 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 30
106 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30
107 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
108 9.1. Normative References . . . . . . . . . . . . . . . . . . 31
109 9.2. Informative References . . . . . . . . . . . . . . . . . 32
110 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 33
111 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 33
112 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 33
113 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 33
114 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 33
115 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
117 1. Introduction
119 This document defines three YANG [RFC7950] modules: the first defines
120 a grouping for a generic SSH client, the second defines a grouping
121 for a generic SSH server, and the third defines identities and
122 groupings common to both the client and the server (SSH is defined in
123 [RFC4252], [RFC4253], and [RFC4254]). It is intended that these
124 groupings will be used by applications using the SSH protocol. For
125 instance, these groupings could be used to help define the data model
126 for an OpenSSH [OPENSSH] server or a NETCONF over SSH [RFC6242] based
127 server.
129 The client and server YANG modules in this document each define one
130 grouping, which is focused on just SSH-specific configuration, and
131 specifically avoids any transport-level configuration, such as what
132 ports to listen-on or connect-to. This enables applications the
133 opportunity to define their own strategy for how the underlying TCP
134 connection is established. For instance, applications supporting
135 NETCONF Call Home [RFC8071] could use the grouping for the SSH parts
136 it provides, while adding data nodes for the TCP-level call-home
137 configuration.
139 2. Terminology
141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
143 "OPTIONAL" in this document are to be interpreted as described in BCP
144 14 [RFC2119] [RFC8174] when, and only when, they appear in all
145 capitals, as shown here.
147 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
149 3. The SSH Client Model
151 The SSH client model presented in this section contains one YANG
152 grouping, to just configure the SSH client, omitting, for instance,
153 any configuration for which IP address or port the client should
154 connect to.
156 This grouping references data nodes defined by the keystore model
157 [I-D.ietf-netconf-keystore]. For instance, a reference to the
158 keystore model is made to indicate which trusted CA certificate a
159 client should use to authenticate X.509v3 certificate based host keys
160 [RFC6187].
162 3.1. Tree Diagram
164 The following tree diagram [I-D.ietf-netmod-yang-tree-diagrams]
165 provides an overview of the data model for the "ietf-ssh-client"
166 module.
168 module: ietf-ssh-client
170 grouping ssh-client-grouping
171 +---- client-identity
172 | +---- username? string
173 | +---- (auth-type)
174 | +--:(certificate)
175 | | +---- certificate {sshcom:ssh-x509-certs}?
176 | | +---- algorithm?
177 | | | identityref
178 | | +---- private-key? union
179 | | +---- public-key? binary
180 | | +---x generate-private-key
181 | | | +---w input
182 | | | +---w algorithm identityref
183 | | +---- certificates
184 | | | +---- certificate* [name]
185 | | | +---- name? string
186 | | | +---- value? binary
187 | | +---x generate-certificate-signing-request
188 | | +---w input
189 | | | +---w subject binary
190 | | | +---w attributes? binary
191 | | +--ro output
192 | | +--ro certificate-signing-request binary
193 | +--:(public-key)
194 | | +---- public-key
195 | | +---- algorithm? identityref
196 | | +---- private-key? union
198 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
200 | | +---- public-key? binary
201 | | +---x generate-private-key
202 | | +---w input
203 | | +---w algorithm identityref
204 | +--:(password)
205 | +---- password? string
206 +---- server-auth
207 | +---- pinned-ssh-host-keys? ks:pinned-host-keys
208 | +---- pinned-ca-certs? ks:pinned-certificates
209 | | {sshcom:ssh-x509-certs}?
210 | +---- pinned-server-certs? ks:pinned-certificates
211 | {sshcom:ssh-x509-certs}?
212 +---- transport-params {ssh-client-transport-params-config}?
213 +---- host-key
214 | +---- host-key-alg* identityref
215 +---- key-exchange
216 | +---- key-exchange-alg* identityref
217 +---- encryption
218 | +---- encryption-alg* identityref
219 +---- mac
220 | +---- mac-alg* identityref
221 +---- compression
222 +---- compression-alg* identityref
224 3.2. Example Usage
226 This section shows how it would appear if the ssh-client-grouping
227 were populated with some data. This example is consistent with the
228 examples presented in Section 2.2 of [I-D.ietf-netconf-keystore].
230 [ note: '\' line wrapping for formatting only]
232 \
234
238
239
240 foobar
241
242 ks:secp521r1
244 base64encodedvalue==
245 base64encodedvalue==
246
247
249 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
251
252
253 explicitly-trusted-ssh-host-keys
255
257
258
259 algs:ssh-rsa
260
261
262
263 algs:diffie-hellman-group-exchange-sha256
264
265
266
267 algs:aes256-ctr
268 algs:aes192-ctr
269 algs:aes128-ctr
270 algs:aes256-cbc
271 algs:aes192-cbc
272 algs:aes128-cbc
273
274
275 algs:hmac-sha2-256
276 algs:hmac-sha2-512
277
278
279 algs:none
280
282
284
286 3.3. YANG Module
288 This YANG module has a normative references to [RFC6991] and
289 [I-D.ietf-netconf-keystore].
291 file "ietf-ssh-client@2017-10-30.yang"
292 module ietf-ssh-client {
293 yang-version 1.1;
295 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client";
296 prefix "sshc";
298 import ietf-ssh-common {
300 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
302 prefix sshcom;
303 revision-date 2017-10-30; // stable grouping definitions
304 reference
305 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
306 }
308 import ietf-netconf-acm {
309 prefix nacm;
310 reference
311 "RFC 6536: Network Configuration Protocol (NETCONF) Access
312 Control Model";
313 }
315 import ietf-keystore {
316 prefix ks;
317 reference
318 "RFC YYYY: Keystore Model";
319 }
321 organization
322 "IETF NETCONF (Network Configuration) Working Group";
324 contact
325 "WG Web:
326 WG List:
328 Author: Kent Watsen
329
331 Author: Gary Wu
332 ";
334 description
335 "This module defines a reusable grouping for a SSH client that
336 can be used as a basis for specific SSH client instances.
338 Copyright (c) 2017 IETF Trust and the persons identified as
339 authors of the code. All rights reserved.
341 Redistribution and use in source and binary forms, with or
342 without modification, is permitted pursuant to, and subject
343 to the license terms contained in, the Simplified BSD
344 License set forth in Section 4.c of the IETF Trust's
345 Legal Provisions Relating to IETF Documents
346 (http://trustee.ietf.org/license-info).
348 This version of this YANG module is part of RFC XXXX; see
350 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
352 the RFC itself for full legal notices.";
354 revision "2017-10-30" {
355 description
356 "Initial version";
357 reference
358 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
359 }
361 // features
363 feature ssh-client-transport-params-config {
364 description
365 "SSH transport layer parameters are configurable on an SSH
366 client.";
367 }
369 // groupings
371 grouping ssh-client-grouping {
372 description
373 "A reusable grouping for configuring a SSH client without
374 any consideration for how an underlying TCP session is
375 established.";
377 container client-identity {
378 description
379 "The credentials used by the client to authenticate to
380 the SSH server.";
382 leaf username {
383 type string;
384 description
385 "The username of this user. This will be the username
386 used, for instance, to log into an SSH server.";
387 }
389 choice auth-type {
390 mandatory true;
391 description
392 "The authentication type.";
393 container certificate {
394 if-feature sshcom:ssh-x509-certs;
395 uses ks:private-key-grouping;
396 uses ks:certificate-grouping;
397 description
398 "A certificates to be used for client authentication.";
399 }
401 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
403 container public-key {
404 uses ks:private-key-grouping;
405 description
406 "A public key to be used for client authentication.";
407 }
408 leaf password {
409 nacm:default-deny-all;
410 type string;
411 description
412 "A password to be used for client authentication.";
413 }
414 }
415 } // end client-auth
417 container server-auth {
418 must 'pinned-ssh-host-keys or pinned-ca-certs or '
419 + 'pinned-server-certs';
420 description
421 "Trusted server identities.";
422 leaf pinned-ssh-host-keys {
423 type ks:pinned-host-keys;
424 description
425 "A reference to a list of SSH host keys used by the
426 SSH client to authenticate SSH server host keys.
427 A server host key is authenticated if it is an exact
428 match to a configured SSH host key.";
429 }
431 leaf pinned-ca-certs {
432 if-feature sshcom:ssh-x509-certs;
433 type ks:pinned-certificates;
434 description
435 "A reference to a list of certificate authority (CA)
436 certificates used by the SSH client to authenticate
437 SSH server certificates. A server certificate is
438 authenticated if it has a valid chain of trust to
439 a configured CA certificate.";
440 }
442 leaf pinned-server-certs {
443 if-feature sshcom:ssh-x509-certs;
444 type ks:pinned-certificates;
445 description
446 "A reference to a list of server certificates used by
447 the SSH client to authenticate SSH server certificates.
448 A server certificate is authenticated if it is an
449 exact match to a configured server certificate.";
450 }
452 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
454 } // end server-auth
456 container transport-params {
457 if-feature ssh-client-transport-params-config;
458 uses sshcom:transport-params-grouping;
459 description
460 "Configurable parameters for the SSH transport layer.";
461 }
463 }
464 }
465
467 4. The SSH Server Model
469 The SSH server model presented in this section contains one YANG
470 grouping, for just the SSH-level configuration, omitting, for
471 instance, configuration for which ports to open to listen for
472 connections on.
474 This grouping references data nodes defined by the keystore model
475 [I-D.ietf-netconf-keystore]. For instance, a reference to the
476 keystore model is made to indicate which host key a server should
477 present.
479 4.1. Tree Diagram
481 The following tree diagram [I-D.ietf-netmod-yang-tree-diagrams]
482 provides an overview of the data model for the "ietf-ssh-server"
483 module.
485 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
487 module: ietf-ssh-server
489 grouping ssh-server-grouping
490 +---- server-identity
491 | +---- host-key* [name]
492 | +---- name? string
493 | +---- (host-key-type)
494 | +--:(public-key)
495 | | +---- public-key
496 | | +---- algorithm? identityref
497 | | +---- private-key? union
498 | | +---- public-key? binary
499 | | +---x generate-private-key
500 | | +---w input
501 | | +---w algorithm identityref
502 | +--:(certificate)
503 | +---- certificate {sshcom:ssh-x509-certs}?
504 | +---- algorithm?
505 | | identityref
506 | +---- private-key? union
507 | +---- public-key? binary
508 | +---x generate-private-key
509 | | +---w input
510 | | +---w algorithm identityref
511 | +---- certificates
512 | | +---- certificate* [name]
513 | | +---- name? string
514 | | +---- value? binary
515 | +---x generate-certificate-signing-request
516 | +---w input
517 | | +---w subject binary
518 | | +---w attributes? binary
519 | +--ro output
520 | +--ro certificate-signing-request binary
521 +---- client-cert-auth {sshcom:ssh-x509-certs}?
522 | +---- pinned-ca-certs? ks:pinned-certificates
523 | +---- pinned-client-certs? ks:pinned-certificates
524 +---- transport-params {ssh-server-transport-params-config}?
525 +---- host-key
526 | +---- host-key-alg* identityref
527 +---- key-exchange
528 | +---- key-exchange-alg* identityref
529 +---- encryption
530 | +---- encryption-alg* identityref
531 +---- mac
532 | +---- mac-alg* identityref
533 +---- compression
534 +---- compression-alg* identityref
536 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
538 4.2. Example Usage
540 This section shows how it would appear if the ssh-server-grouping
541 were populated with some data. This example is consistent with the
542 examples presented in Section 2.2 of [I-D.ietf-netconf-keystore].
544 [ note: '\' line wrapping for formatting only]
546 \
548
552
553
554
555 deployment-specific-certificate
556
557 ks:secp521r1
559 base64encodedvalue==
560 base64encodedvalue==
561
562
563
565
566
567 deployment-specific-ca-certs
568 explicitly-trusted-client-certs
570
572
573
574 algs:ssh-rsa
575
576
577
578 algs:diffie-hellman-group-exchange-sha256
579
580
581
582 algs:aes256-ctr
583 algs:aes192-ctr
584 algs:aes128-ctr
585 algs:aes256-cbc
587 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
589 algs:aes192-cbc
590 algs:aes128-cbc
591
592
593 algs:hmac-sha2-256
594 algs:hmac-sha2-512
595
596
597 algs:none
598
599
601
603 4.3. YANG Module
605 This YANG module has a normative references to [RFC4253], [RFC6991],
606 and [I-D.ietf-netconf-keystore].
608 file "ietf-ssh-server@2017-10-30.yang"
609 module ietf-ssh-server {
610 yang-version 1.1;
612 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
613 prefix "sshs";
615 import ietf-ssh-common {
616 prefix sshcom;
617 revision-date 2017-10-30; // stable grouping definitions
618 reference
619 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
620 }
622 import ietf-keystore {
623 prefix ks;
624 reference
625 "RFC YYYY: Keystore Model";
626 }
628 organization
629 "IETF NETCONF (Network Configuration) Working Group";
631 contact
632 "WG Web:
633 WG List:
635 Author: Kent Watsen
636
638 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
640 Author: Gary Wu
641 ";
643 description
644 "This module defines a reusable grouping for a SSH server that
645 can be used as a basis for specific SSH server instances.
647 Copyright (c) 2017 IETF Trust and the persons identified as
648 authors of the code. All rights reserved.
650 Redistribution and use in source and binary forms, with or
651 without modification, is permitted pursuant to, and subject
652 to the license terms contained in, the Simplified BSD
653 License set forth in Section 4.c of the IETF Trust's
654 Legal Provisions Relating to IETF Documents
655 (http://trustee.ietf.org/license-info).
657 This version of this YANG module is part of RFC XXXX; see
658 the RFC itself for full legal notices.";
660 revision "2017-10-30" {
661 description
662 "Initial version";
663 reference
664 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
665 }
667 // features
669 feature ssh-server-transport-params-config {
670 description
671 "SSH transport layer parameters are configurable on an SSH
672 server.";
673 }
675 // groupings
677 grouping ssh-server-grouping {
678 description
679 "A reusable grouping for configuring a SSH server without
680 any consideration for how underlying TCP sessions are
681 established.";
682 container server-identity {
683 description
684 "The list of host-keys the SSH server will present when
685 establishing a SSH connection.";
686 list host-key {
688 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
690 key name;
691 min-elements 1;
692 ordered-by user;
693 description
694 "An ordered list of host keys the SSH server will use to
695 construct its ordered list of algorithms, when sending
696 its SSH_MSG_KEXINIT message, as defined in Section 7.1
697 of RFC 4253.";
698 reference
699 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
700 leaf name {
701 type string;
702 description
703 "An arbitrary name for this host-key";
704 }
705 choice host-key-type {
706 mandatory true;
707 description
708 "The type of host key being specified";
709 container public-key {
710 uses ks:private-key-grouping;
711 description
712 "The SSH server uses a public-key for its host key.";
713 }
714 container certificate {
715 if-feature sshcom:ssh-x509-certs;
716 uses ks:private-key-grouping;
717 uses ks:certificate-grouping;
718 description
719 "The SSH server uses a certificate for its host key.";
720 }
721 }
722 }
723 }
725 container client-cert-auth {
726 if-feature sshcom:ssh-x509-certs;
727 description
728 "A reference to a list of pinned certificate authority (CA)
729 certificates and a reference to a list of pinned client
730 certificates.";
731 leaf pinned-ca-certs {
732 type ks:pinned-certificates;
733 description
734 "A reference to a list of certificate authority (CA)
735 certificates used by the SSH server to authenticate
736 SSH client certificates. A client certificate is
737 authenticated if it has a valid chain of trust to
739 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
741 a configured pinned CA certificate.";
742 }
743 leaf pinned-client-certs {
744 type ks:pinned-certificates;
745 description
746 "A reference to a list of client certificates used by
747 the SSH server to authenticate SSH client certificates.
748 A clients certificate is authenticated if it is an
749 exact match to a configured pinned client certificate.";
750 }
751 }
753 container transport-params {
754 if-feature ssh-server-transport-params-config;
755 uses sshcom:transport-params-grouping;
756 description
757 "Configurable parameters for the SSH transport layer.";
758 }
760 }
761 }
762
764 5. The SSH Common Model
766 The SSH common model presented in this section contains identities
767 and groupings common to both SSH clients and SSH servers. The
768 transport-params-grouping can be used to configure the list of SSH
769 transport algorithms permitted by the SSH client or SSH server. The
770 lists of algorithms are ordered such that, if multiple algorithms are
771 permitted by the client, the algorithm that appears first in its list
772 that is also permitted by the server is used for the SSH transport
773 layer connection. The ability to restrict the the algorithms allowed
774 is provided in this grouping for SSH clients and SSH servers that are
775 capable of doing so and may serve to make SSH clients and SSH servers
776 compliant with security policies.
778 Features are defined for algorithms that are OPTIONAL or are not
779 widely supported by popular implementations. Note that the list of
780 algorithms is not exhaustive. As well, some algorithms that are
781 REQUIRED by [RFC4253] are missing, notably "ssh-dss" and "diffie-
782 hellman-group1-sha1" due to their weak security and there being
783 alternatives that are widely supported.
785 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
787 5.1. Tree Diagram
789 The following tree diagram [I-D.ietf-netmod-yang-tree-diagrams]
790 provides an overview of the data model for the "ietf-ssh-common"
791 module.
793 module: ietf-ssh-common
795 grouping transport-params-grouping
796 +---- host-key
797 | +---- host-key-alg* identityref
798 +---- key-exchange
799 | +---- key-exchange-alg* identityref
800 +---- encryption
801 | +---- encryption-alg* identityref
802 +---- mac
803 | +---- mac-alg* identityref
804 +---- compression
805 +---- compression-alg* identityref
807 5.2. Example Usage
809 This section shows how it would appear if the transport-params-
810 grouping were populated with some data.
812 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
814
815
819
820 algs:x509v3-rsa2048-sha256
821 algs:ssh-rsa
822
823
824
825 algs:diffie-hellman-group-exchange-sha256
826
827
828
829 algs:aes256-ctr
830 algs:aes192-ctr
831 algs:aes128-ctr
832 algs:aes256-cbc
833 algs:aes192-cbc
834 algs:aes128-cbc
835
836
837 algs:hmac-sha2-256
838 algs:hmac-sha2-512
839
840
841 algs:none
842
844
846 5.3. YANG Module
848 This YANG module has a normative references to [RFC4344], [RFC4419],
849 [RFC5656], and [RFC6668].
851 file "ietf-ssh-common@2017-10-30.yang"
852 module ietf-ssh-common {
853 yang-version 1.1;
855 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
856 prefix "sshcom";
858 organization
859 "IETF NETCONF (Network Configuration) Working Group";
861 contact
863 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
865 "WG Web:
866 WG List:
868 Author: Kent Watsen
869
871 Author: Gary Wu
872 ";
874 description
875 "This module defines a common features, identities, and groupings
876 for Secure Shell (SSH).
878 Copyright (c) 2017 IETF Trust and the persons identified as
879 authors of the code. All rights reserved.
881 Redistribution and use in source and binary forms, with or
882 without modification, is permitted pursuant to, and subject
883 to the license terms contained in, the Simplified BSD
884 License set forth in Section 4.c of the IETF Trust's
885 Legal Provisions Relating to IETF Documents
886 (http://trustee.ietf.org/license-info).
888 This version of this YANG module is part of RFC XXXX; see
889 the RFC itself for full legal notices.";
891 revision "2017-10-30" {
892 description
893 "Initial version";
894 reference
895 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
896 }
898 // features
900 feature ssh-ecc {
901 description
902 "Elliptic Curve Cryptography is supported for SSH.";
903 reference
904 "RFC 5656: Elliptic Curve Algorithm Integration in the
905 Secure Shell Transport Layer";
906 }
908 feature ssh-x509-certs {
909 description
910 "X.509v3 certificates are supported for SSH as per RFC 6187.";
911 reference
912 "RFC 6187: X.509v3 Certificates for Secure Shell
914 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
916 Authentication";
917 }
919 feature ssh-dh-group-exchange {
920 description
921 "Diffie-Hellman Group Exchange is supported for SSH.";
922 reference
923 "RFC 4419: Diffie-Hellman Group Exchange for the
924 Secure Shell (SSH) Transport Layer Protocol";
925 }
927 feature ssh-ctr {
928 description
929 "SDCTR encryption mode is supported for SSH.";
930 reference
931 "RFC 4344: The Secure Shell (SSH) Transport Layer
932 Encryption Modes";
933 }
935 feature ssh-sha2 {
936 description
937 "The SHA2 family of cryptographic hash functions is supported
938 for SSH.";
939 reference
940 "FIPS PUB 180-4: Secure Hash Standard (SHS)";
941 }
943 feature ssh-zlib {
944 description
945 "ZLIB (LZ77) compression is supported for SSH.";
946 reference
947 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
948 }
950 // identities
952 identity public-key-alg-base {
953 description
954 "Base identity used to identify public key algorithms.";
955 }
957 identity ssh-dss {
958 base public-key-alg-base;
959 description
960 "Digital Signature Algorithm using SHA-1 as the hashing
961 algorithm.";
962 reference
963 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
965 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
967 }
969 identity ssh-rsa {
970 base public-key-alg-base;
971 description
972 "RSASSA-PKCS1-v1_5 signature scheme using SHA-1 as the hashing
973 algorithm.";
974 reference
975 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
976 }
978 identity ecdsa-sha2-nistp256 {
979 base public-key-alg-base;
980 if-feature "ssh-ecc and ssh-sha2";
981 description
982 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
983 nistp256 curve and the SHA2 family of hashing algorithms.";
984 reference
985 "RFC 5656: Elliptic Curve Algorithm Integration in the
986 Secure Shell Transport Layer";
987 }
989 identity ecdsa-sha2-nistp384 {
990 base public-key-alg-base;
991 if-feature "ssh-ecc and ssh-sha2";
992 description
993 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
994 nistp384 curve and the SHA2 family of hashing algorithms.";
995 reference
996 "RFC 5656: Elliptic Curve Algorithm Integration in the
997 Secure Shell Transport Layer";
998 }
1000 identity ecdsa-sha2-nistp521 {
1001 base public-key-alg-base;
1002 if-feature "ssh-ecc and ssh-sha2";
1003 description
1004 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1005 nistp521 curve and the SHA2 family of hashing algorithms.";
1006 reference
1007 "RFC 5656: Elliptic Curve Algorithm Integration in the
1008 Secure Shell Transport Layer";
1009 }
1011 identity x509v3-ssh-rsa {
1012 base public-key-alg-base;
1013 if-feature ssh-x509-certs;
1014 description
1016 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1018 "RSASSA-PKCS1-v1_5 signature scheme using a public key stored in
1019 an X.509v3 certificate and using SHA-1 as the hashing
1020 algorithm.";
1021 reference
1022 "RFC 6187: X.509v3 Certificates for Secure Shell
1023 Authentication";
1024 }
1026 identity x509v3-rsa2048-sha256 {
1027 base public-key-alg-base;
1028 if-feature "ssh-x509-certs and ssh-sha2";
1029 description
1030 "RSASSA-PKCS1-v1_5 signature scheme using a public key stored in
1031 an X.509v3 certificate and using SHA-256 as the hashing
1032 algorithm. RSA keys conveyed using this format MUST have a
1033 modulus of at least 2048 bits.";
1034 reference
1035 "RFC 6187: X.509v3 Certificates for Secure Shell
1036 Authentication";
1037 }
1039 identity x509v3-ecdsa-sha2-nistp256 {
1040 base public-key-alg-base;
1041 if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
1042 description
1043 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1044 nistp256 curve with a public key stored in an X.509v3
1045 certificate and using the SHA2 family of hashing algorithms.";
1046 reference
1047 "RFC 6187: X.509v3 Certificates for Secure Shell
1048 Authentication";
1049 }
1051 identity x509v3-ecdsa-sha2-nistp384 {
1052 base public-key-alg-base;
1053 if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
1054 description
1055 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1056 nistp384 curve with a public key stored in an X.509v3
1057 certificate and using the SHA2 family of hashing algorithms.";
1058 reference
1059 "RFC 6187: X.509v3 Certificates for Secure Shell
1060 Authentication";
1061 }
1063 identity x509v3-ecdsa-sha2-nistp521 {
1064 base public-key-alg-base;
1065 if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
1067 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1069 description
1070 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1071 nistp521 curve with a public key stored in an X.509v3
1072 certificate and using the SHA2 family of hashing algorithms.";
1073 reference
1074 "RFC 6187: X.509v3 Certificates for Secure Shell
1075 Authentication";
1076 }
1078 identity key-exchange-alg-base {
1079 description
1080 "Base identity used to identify key exchange algorithms.";
1081 }
1083 identity diffie-hellman-group14-sha1 {
1084 base key-exchange-alg-base;
1085 description
1086 "Diffie-Hellman key exchange with SHA-1 as HASH and
1087 Oakley Group 14 (2048-bit MODP Group).";
1088 reference
1089 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1090 }
1092 identity diffie-hellman-group-exchange-sha1 {
1093 base key-exchange-alg-base;
1094 if-feature ssh-dh-group-exchange;
1095 description
1096 "Diffie-Hellman Group and Key Exchange with SHA-1 as HASH.";
1097 reference
1098 "RFC 4419: Diffie-Hellman Group Exchange for the
1099 Secure Shell (SSH) Transport Layer Protocol";
1100 }
1102 identity diffie-hellman-group-exchange-sha256 {
1103 base key-exchange-alg-base;
1104 if-feature "ssh-dh-group-exchange and ssh-sha2";
1105 description
1106 "Diffie-Hellman Group and Key Exchange with SHA-256 as HASH.";
1107 reference
1108 "RFC 4419: Diffie-Hellman Group Exchange for the
1109 Secure Shell (SSH) Transport Layer Protocol";
1110 }
1112 identity ecdh-sha2-nistp256 {
1113 base key-exchange-alg-base;
1114 if-feature "ssh-ecc and ssh-sha2";
1115 description
1116 "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
1118 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1120 nistp256 curve and the SHA2 family of hashing algorithms.";
1121 reference
1122 "RFC 5656: Elliptic Curve Algorithm Integration in the
1123 Secure Shell Transport Layer";
1124 }
1126 identity ecdh-sha2-nistp384 {
1127 base key-exchange-alg-base;
1128 if-feature "ssh-ecc and ssh-sha2";
1129 description
1130 "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
1131 nistp384 curve and the SHA2 family of hashing algorithms.";
1132 reference
1133 "RFC 5656: Elliptic Curve Algorithm Integration in the
1134 Secure Shell Transport Layer";
1135 }
1137 identity ecdh-sha2-nistp521 {
1138 base key-exchange-alg-base;
1139 if-feature "ssh-ecc and ssh-sha2";
1140 description
1141 "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
1142 nistp521 curve and the SHA2 family of hashing algorithms.";
1143 reference
1144 "RFC 5656: Elliptic Curve Algorithm Integration in the
1145 Secure Shell Transport Layer";
1146 }
1148 identity encryption-alg-base {
1149 description
1150 "Base identity used to identify encryption algorithms.";
1151 }
1153 identity triple-des-cbc {
1154 base encryption-alg-base;
1155 description
1156 "Three-key 3DES in CBC mode.";
1157 reference
1158 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1159 }
1161 identity aes128-cbc {
1162 base encryption-alg-base;
1163 description
1164 "AES in CBC mode, with a 128-bit key.";
1165 reference
1166 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1167 }
1169 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1171 identity aes192-cbc {
1172 base encryption-alg-base;
1173 description
1174 "AES in CBC mode, with a 192-bit key.";
1175 reference
1176 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1177 }
1179 identity aes256-cbc {
1180 base encryption-alg-base;
1181 description
1182 "AES in CBC mode, with a 256-bit key.";
1183 reference
1184 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1185 }
1187 identity aes128-ctr {
1188 base encryption-alg-base;
1189 if-feature ssh-ctr;
1190 description
1191 "AES in SDCTR mode, with 128-bit key.";
1192 reference
1193 "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
1194 Modes";
1195 }
1197 identity aes192-ctr {
1198 base encryption-alg-base;
1199 if-feature ssh-ctr;
1200 description
1201 "AES in SDCTR mode, with 192-bit key.";
1202 reference
1203 "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
1204 Modes";
1205 }
1207 identity aes256-ctr {
1208 base encryption-alg-base;
1209 if-feature ssh-ctr;
1210 description
1211 "AES in SDCTR mode, with 256-bit key.";
1212 reference
1213 "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
1214 Modes";
1215 }
1217 identity mac-alg-base {
1218 description
1220 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1222 "Base identity used to identify message authentication
1223 code (MAC) algorithms.";
1224 }
1226 identity hmac-sha1 {
1227 base mac-alg-base;
1228 description
1229 "HMAC-SHA1";
1230 reference
1231 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1232 }
1234 identity hmac-sha2-256 {
1235 base mac-alg-base;
1236 if-feature "ssh-sha2";
1237 description
1238 "HMAC-SHA2-256";
1239 reference
1240 "RFC 6668: SHA-2 Data Integrity Verification for the
1241 Secure Shell (SSH) Transport Layer Protocol";
1242 }
1244 identity hmac-sha2-512 {
1245 base mac-alg-base;
1246 if-feature "ssh-sha2";
1247 description
1248 "HMAC-SHA2-512";
1249 reference
1250 "RFC 6668: SHA-2 Data Integrity Verification for the
1251 Secure Shell (SSH) Transport Layer Protocol";
1252 }
1254 identity compression-alg-base {
1255 description
1256 "Base identity used to identify compression algorithms.";
1257 }
1259 identity none {
1260 base compression-alg-base;
1261 description
1262 "No compression.";
1263 reference
1264 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1265 }
1267 identity zlib {
1268 base compression-alg-base;
1269 if-feature ssh-zlib;
1271 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1273 description
1274 "ZLIB (LZ77) compression.";
1275 reference
1276 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1277 }
1279 // groupings
1281 grouping transport-params-grouping {
1282 description
1283 "A reusable grouping for SSH transport parameters.
1284 For configurable parameters, a zero-element leaf-list of
1285 algorithms indicates the system default configuration for that
1286 parameter.";
1287 reference
1288 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1289 container host-key {
1290 description
1291 "Parameters regarding host key.";
1292 leaf-list host-key-alg {
1293 type identityref {
1294 base public-key-alg-base;
1295 }
1296 ordered-by user;
1297 description
1298 "Host key algorithms in order of descending preference.";
1299 }
1300 }
1301 container key-exchange {
1302 description
1303 "Parameters regarding key exchange.";
1304 leaf-list key-exchange-alg {
1305 type identityref {
1306 base key-exchange-alg-base;
1307 }
1308 ordered-by user;
1309 description
1310 "Key exchange algorithms in order of descending
1311 preference.";
1312 }
1313 }
1314 container encryption {
1315 description
1316 "Parameters regarding encryption.";
1317 leaf-list encryption-alg {
1318 type identityref {
1319 base encryption-alg-base;
1320 }
1322 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1324 ordered-by user;
1325 description
1326 "Encryption algorithms in order of descending preference.";
1327 }
1328 }
1329 container mac {
1330 description
1331 "Parameters regarding message authentication code (MAC).";
1332 leaf-list mac-alg {
1333 type identityref {
1334 base mac-alg-base;
1335 }
1336 ordered-by user;
1337 description
1338 "MAC algorithms in order of descending preference.";
1339 }
1340 }
1341 container compression {
1342 description
1343 "Parameters regarding compression.";
1344 leaf-list compression-alg {
1345 type identityref {
1346 base compression-alg-base;
1347 }
1348 ordered-by user;
1349 description
1350 "Compression algorithms in order of descending preference.";
1351 }
1352 }
1353 }
1354 }
1355
1357 6. Security Considerations
1359 The YANG modules defined in this document are designed to be accessed
1360 via YANG based management protocols, such as NETCONF [RFC6241] and
1361 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1362 implement secure transport layers (e.g., SSH, TLS) with mutual
1363 authentication.
1365 The NETCONF access control model (NACM) [RFC6536] provides the means
1366 to restrict access for particular users to a pre-configured subset of
1367 all available protocol operations and content.
1369 Since the modules defined in this document define only groupings,
1370 these considerations are primarily for the designers of other modules
1371 that use these groupings.
1373 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1375 There are a number of data nodes defined in the YANG modules that are
1376 writable/creatable/deletable (i.e., config true, which is the
1377 default). These data nodes may be considered sensitive or vulnerable
1378 in some network environments. Write operations (e.g., edit-config)
1379 to these data nodes without proper protection can have a negative
1380 effect on network operations. These are the subtrees and data nodes
1381 and their sensitivity/vulnerability:
1383 /: The entire data tree defined by all the modules defined in this
1384 draft are sensitive to write operations. For instance, the
1385 addition or removal of references to keys, certificates,
1386 trusted anchors, etc., can dramatically alter the implemented
1387 security policy. However, no NACM annotations are applied as
1388 the data SHOULD be editable by users other than a designated
1389 'recovery session'.
1391 Some of the readable data nodes in the YANG modules may be considered
1392 sensitive or vulnerable in some network environments. It is thus
1393 important to control read access (e.g., via get, get-config, or
1394 notification) to these data nodes. These are the subtrees and data
1395 nodes and their sensitivity/vulnerability:
1397 /client-auth/password: This node in the 'ietf-ssh-client' module
1398 is additionally sensitive to read operations such that, in
1399 normal use cases, it should never be returned to a client. The
1400 only time this node should be returned is to support backup/
1401 restore type workflows. This being the case, this node is
1402 marked with the NACM value 'default-deny-all'.
1404 Some of the RPC operations in this YANG module may be considered
1405 sensitive or vulnerable in some network environments. It is thus
1406 important to control access to these operations. These are the
1407 operations and their sensitivity/vulnerability:
1409 NONE
1411 7. IANA Considerations
1413 7.1. The IETF XML Registry
1415 This document registers three URIs in the IETF XML registry
1416 [RFC3688]. Following the format in [RFC3688], the following
1417 registrations are requested:
1419 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1421 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-client
1422 Registrant Contact: The NETCONF WG of the IETF.
1423 XML: N/A, the requested URI is an XML namespace.
1425 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-server
1426 Registrant Contact: The NETCONF WG of the IETF.
1427 XML: N/A, the requested URI is an XML namespace.
1429 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-common
1430 Registrant Contact: The NETCONF WG of the IETF.
1431 XML: N/A, the requested URI is an XML namespace.
1433 7.2. The YANG Module Names Registry
1435 This document registers three YANG modules in the YANG Module Names
1436 registry [RFC7950]. Following the format in [RFC7950], the the
1437 following registrations are requested:
1439 name: ietf-ssh-client
1440 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-client
1441 prefix: sshc
1442 reference: RFC XXXX
1444 name: ietf-ssh-server
1445 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-server
1446 prefix: sshs
1447 reference: RFC XXXX
1449 name: ietf-ssh-common
1450 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-common
1451 prefix: sshcom
1452 reference: RFC XXXX
1454 8. Acknowledgements
1456 The authors would like to thank for following for lively discussions
1457 on list and in the halls (ordered by last name): Andy Bierman, Martin
1458 Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
1459 Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
1460 Juergen Schoenwaelder, Phil Shafer, Sean Turner, Michal Vasko, and
1461 Bert Wijnen.
1463 9. References
1464 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1466 9.1. Normative References
1468 [I-D.ietf-netconf-keystore]
1469 Watsen, K., "Keystore Model", draft-ietf-netconf-
1470 keystore-02 (work in progress), June 2017.
1472 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1473 Requirement Levels", BCP 14, RFC 2119,
1474 DOI 10.17487/RFC2119, March 1997,
1475 .
1477 [RFC4344] Bellare, M., Kohno, T., and C. Namprempre, "The Secure
1478 Shell (SSH) Transport Layer Encryption Modes", RFC 4344,
1479 DOI 10.17487/RFC4344, January 2006,
1480 .
1482 [RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman
1483 Group Exchange for the Secure Shell (SSH) Transport Layer
1484 Protocol", RFC 4419, DOI 10.17487/RFC4419, March 2006,
1485 .
1487 [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm
1488 Integration in the Secure Shell Transport Layer",
1489 RFC 5656, DOI 10.17487/RFC5656, December 2009,
1490 .
1492 [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure
1493 Shell Authentication", RFC 6187, DOI 10.17487/RFC6187,
1494 March 2011, .
1496 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
1497 Protocol (NETCONF) Access Control Model", RFC 6536,
1498 DOI 10.17487/RFC6536, March 2012,
1499 .
1501 [RFC6668] Bider, D. and M. Baushke, "SHA-2 Data Integrity
1502 Verification for the Secure Shell (SSH) Transport Layer
1503 Protocol", RFC 6668, DOI 10.17487/RFC6668, July 2012,
1504 .
1506 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1507 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1508 .
1510 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1511 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1512 .
1514 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1516 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1517 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1518 May 2017, .
1520 9.2. Informative References
1522 [I-D.ietf-netmod-yang-tree-diagrams]
1523 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
1524 ietf-netmod-yang-tree-diagrams-02 (work in progress),
1525 October 2017.
1527 [OPENSSH] "OpenSSH", 2016, .
1529 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1530 DOI 10.17487/RFC3688, January 2004,
1531 .
1533 [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
1534 Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
1535 January 2006, .
1537 [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
1538 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
1539 January 2006, .
1541 [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
1542 Connection Protocol", RFC 4254, DOI 10.17487/RFC4254,
1543 January 2006, .
1545 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1546 and A. Bierman, Ed., "Network Configuration Protocol
1547 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1548 .
1550 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
1551 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
1552 .
1554 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1555 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1556 .
1558 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1559 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1560 .
1562 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1564 Appendix A. Change Log
1566 A.1. 00 to 01
1568 o Noted that '0.0.0.0' and '::' might have special meanings.
1570 o Renamed "keychain" to "keystore".
1572 A.2. 01 to 02
1574 o Removed the groupings 'listening-ssh-client-grouping' and
1575 'listening-ssh-server-grouping'. Now modules only contain the
1576 transport-independent groupings.
1578 o Simplified the "client-auth" part in the ietf-ssh-client module.
1579 It now inlines what it used to point to keystore for.
1581 o Added cipher suites for various algorithms into new 'ietf-ssh-
1582 common' module.
1584 A.3. 02 to 03
1586 o Removed 'RESTRICTED' enum from 'password' leaf type.
1588 o Added a 'must' statement to container 'server-auth' asserting that
1589 at least one of the various auth mechanisms must be specified.
1591 o Fixed description statement for leaf 'trusted-ca-certs'.
1593 A.4. 03 to 04
1595 o Change title to "YANG Groupings for SSH Clients and SSH Servers"
1597 o Added reference to RFC 6668
1599 o Added RFC 8174 to Requirements Language Section.
1601 o Enhanced description statement for ietf-ssh-server's "trusted-ca-
1602 certs" leaf.
1604 o Added mandatory true to ietf-ssh-client's "client-auth" 'choice'
1605 statement.
1607 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
1609 o Updated YANG to use typedefs around leafrefs to common keystore
1610 paths
1612 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1614 o Now inlines key and certificates (no longer a leafref to keystore)
1616 Authors' Addresses
1618 Kent Watsen
1619 Juniper Networks
1621 EMail: kwatsen@juniper.net
1623 Gary Wu
1624 Cisco Systems
1626 EMail: garywu@cisco.com