idnits 2.17.1
draft-ietf-netconf-ssh-client-server-05.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 183 has weird spacing: '...gorithm ide...'
== Line 193 has weird spacing: '...request bin...'
== Line 204 has weird spacing: '...gorithm ide...'
== Line 499 has weird spacing: '...gorithm ide...'
== Line 510 has weird spacing: '...gorithm ide...'
== (1 more instance...)
-- The document date (October 30, 2017) is 2369 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-02
** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341)
== Outdated reference: A later version (-06) exists of
draft-ietf-netmod-yang-tree-diagrams-02
Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Juniper Networks
4 Intended status: Standards Track G. Wu
5 Expires: May 3, 2018 Cisco Systems
6 October 30, 2017
8 YANG Groupings for SSH Clients and SSH Servers
9 draft-ietf-netconf-ssh-client-server-05
11 Abstract
13 This document defines three YANG modules: the first defines groupings
14 for a generic SSH client, the second defines groupings for a generic
15 SSH server, and the third defines common identities and groupings
16 used by both the client and the server. It is intended that these
17 groupings will be used by applications using the SSH protocol.
19 Editorial Note (To be removed by RFC Editor)
21 This draft contains many placeholder values that need to be replaced
22 with finalized values at the time of publication. This note
23 summarizes all of the substitutions that are needed. No other RFC
24 Editor instructions are specified elsewhere in this document.
26 This document contains references to other drafts in progress, both
27 in the Normative References section, as well as in body text
28 throughout. Please update the following references to reflect their
29 final RFC assignments:
31 o I-D.ietf-netconf-keystore
33 Artwork in this document contains shorthand references to drafts in
34 progress. Please apply the following replacements:
36 o "XXXX" --> the assigned RFC value for this draft
38 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-keystore
40 Artwork in this document contains placeholder values for the date of
41 publication of this draft. Please apply the following replacement:
43 o "2017-10-30" --> the publication date of this draft
45 The following Appendix section is to be removed prior to publication:
47 o Appendix A. Change Log
49 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
51 Status of This Memo
53 This Internet-Draft is submitted in full conformance with the
54 provisions of BCP 78 and BCP 79.
56 Internet-Drafts are working documents of the Internet Engineering
57 Task Force (IETF). Note that other groups may also distribute
58 working documents as Internet-Drafts. The list of current Internet-
59 Drafts is at https://datatracker.ietf.org/drafts/current/.
61 Internet-Drafts are draft documents valid for a maximum of six months
62 and may be updated, replaced, or obsoleted by other documents at any
63 time. It is inappropriate to use Internet-Drafts as reference
64 material or to cite them other than as "work in progress."
66 This Internet-Draft will expire on May 3, 2018.
68 Copyright Notice
70 Copyright (c) 2017 IETF Trust and the persons identified as the
71 document authors. All rights reserved.
73 This document is subject to BCP 78 and the IETF Trust's Legal
74 Provisions Relating to IETF Documents
75 (https://trustee.ietf.org/license-info) in effect on the date of
76 publication of this document. Please review these documents
77 carefully, as they describe your rights and restrictions with respect
78 to this document. Code Components extracted from this document must
79 include Simplified BSD License text as described in Section 4.e of
80 the Trust Legal Provisions and are provided without warranty as
81 described in the Simplified BSD License.
83 Table of Contents
85 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
86 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
87 3. The SSH Client Model . . . . . . . . . . . . . . . . . . . . 4
88 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
89 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
90 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 6
91 4. The SSH Server Model . . . . . . . . . . . . . . . . . . . . 10
92 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 10
93 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 12
94 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 13
95 5. The SSH Common Model . . . . . . . . . . . . . . . . . . . . 16
96 5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 17
97 5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 17
98 5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 18
100 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
102 6. Security Considerations . . . . . . . . . . . . . . . . . . . 28
103 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
104 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 29
105 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 29
106 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30
107 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
108 9.1. Normative References . . . . . . . . . . . . . . . . . . 30
109 9.2. Informative References . . . . . . . . . . . . . . . . . 31
110 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 33
111 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 33
112 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 33
113 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 33
114 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 33
115 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 34
116 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
118 1. Introduction
120 This document defines three YANG [RFC7950] modules: the first defines
121 a grouping for a generic SSH client, the second defines a grouping
122 for a generic SSH server, and the third defines identities and
123 groupings common to both the client and the server (SSH is defined in
124 [RFC4252], [RFC4253], and [RFC4254]). It is intended that these
125 groupings will be used by applications using the SSH protocol. For
126 instance, these groupings could be used to help define the data model
127 for an OpenSSH [OPENSSH] server or a NETCONF over SSH [RFC6242] based
128 server.
130 The client and server YANG modules in this document each define one
131 grouping, which is focused on just SSH-specific configuration, and
132 specifically avoids any transport-level configuration, such as what
133 ports to listen-on or connect-to. This enables applications the
134 opportunity to define their own strategy for how the underlying TCP
135 connection is established. For instance, applications supporting
136 NETCONF Call Home [RFC8071] could use the grouping for the SSH parts
137 it provides, while adding data nodes for the TCP-level call-home
138 configuration.
140 2. Terminology
142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
144 "OPTIONAL" in this document are to be interpreted as described in BCP
145 14 [RFC2119] [RFC8174] when, and only when, they appear in all
146 capitals, as shown here.
148 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
150 3. The SSH Client Model
152 The SSH client model presented in this section contains one YANG
153 grouping, to just configure the SSH client, omitting, for instance,
154 any configuration for which IP address or port the client should
155 connect to.
157 This grouping references data nodes defined by the keystore model
158 [I-D.ietf-netconf-keystore]. For instance, a reference to the
159 keystore model is made to indicate which trusted CA certificate a
160 client should use to authenticate X.509v3 certificate based host keys
161 [RFC6187].
163 3.1. Tree Diagram
165 The following tree diagram [I-D.ietf-netmod-yang-tree-diagrams]
166 provides an overview of the data model for the "ietf-ssh-client"
167 module.
169 module: ietf-ssh-client
171 grouping ssh-client-grouping
172 +---- client-identity
173 | +---- username? string
174 | +---- (auth-type)
175 | +--:(certificate)
176 | | +---- certificate {sshcmn:ssh-x509-certs}?
177 | | +---- algorithm?
178 | | | identityref
179 | | +---- private-key? union
180 | | +---- public-key? binary
181 | | +---x generate-private-key
182 | | | +---w input
183 | | | +---w algorithm identityref
184 | | +---- certificates
185 | | | +---- certificate* [name]
186 | | | +---- name? string
187 | | | +---- value? binary
188 | | +---x generate-certificate-signing-request
189 | | +---w input
190 | | | +---w subject binary
191 | | | +---w attributes? binary
192 | | +--ro output
193 | | +--ro certificate-signing-request binary
194 | +--:(public-key)
195 | | +---- public-key
196 | | +---- algorithm? identityref
197 | | +---- private-key? union
199 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
201 | | +---- public-key? binary
202 | | +---x generate-private-key
203 | | +---w input
204 | | +---w algorithm identityref
205 | +--:(password)
206 | +---- password? string
207 +---- server-auth
208 | +---- pinned-ssh-host-keys? ks:pinned-host-keys
209 | +---- pinned-ca-certs? ks:pinned-certificates
210 | | {sshcmn:ssh-x509-certs}?
211 | +---- pinned-server-certs? ks:pinned-certificates
212 | {sshcmn:ssh-x509-certs}?
213 +---- transport-params {ssh-client-transport-params-config}?
214 +---- host-key
215 | +---- host-key-alg* identityref
216 +---- key-exchange
217 | +---- key-exchange-alg* identityref
218 +---- encryption
219 | +---- encryption-alg* identityref
220 +---- mac
221 +---- mac-alg* identityref
223 3.2. Example Usage
225 This section shows how it would appear if the ssh-client-grouping
226 were populated with some data. This example is consistent with the
227 examples presented in Section 2.2 of [I-D.ietf-netconf-keystore].
229 [ note: '\' line wrapping for formatting only]
231 \
233
237
238
239 foobar
240
241 ks:secp521r1
243 base64encodedvalue==
244 base64encodedvalue==
245
246
248
250 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
252
253 explicitly-trusted-ssh-host-keys
255
257
258
259 algs:ssh-rsa
260
261
262
263 algs:diffie-hellman-group-exchange-sha256
264
265
266
267 algs:aes256-ctr
268 algs:aes192-ctr
269 algs:aes128-ctr
270 algs:aes256-cbc
271 algs:aes192-cbc
272 algs:aes128-cbc
273
274
275 algs:hmac-sha2-256
276 algs:hmac-sha2-512
277
278
279 algs:none
280
282
284
286 3.3. YANG Module
288 This YANG module has normative references to [RFC6991] and
289 [I-D.ietf-netconf-keystore].
291 file "ietf-ssh-client@2017-10-30.yang"
292 module ietf-ssh-client {
293 yang-version 1.1;
295 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client";
296 prefix "sshc";
298 import ietf-ssh-common {
299 prefix sshcmn;
301 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
303 revision-date 2017-10-30; // stable grouping definitions
304 reference
305 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
306 }
308 import ietf-netconf-acm {
309 prefix nacm;
310 reference
311 "RFC 6536: Network Configuration Protocol (NETCONF) Access
312 Control Model";
313 }
315 import ietf-keystore {
316 prefix ks;
317 reference
318 "RFC YYYY: Keystore Model";
319 }
321 organization
322 "IETF NETCONF (Network Configuration) Working Group";
324 contact
325 "WG Web:
326 WG List:
328 Author: Kent Watsen
329
331 Author: Gary Wu
332 ";
334 description
335 "This module defines a reusable grouping for a SSH client that
336 can be used as a basis for specific SSH client instances.
338 Copyright (c) 2017 IETF Trust and the persons identified as
339 authors of the code. All rights reserved.
341 Redistribution and use in source and binary forms, with or
342 without modification, is permitted pursuant to, and subject
343 to the license terms contained in, the Simplified BSD
344 License set forth in Section 4.c of the IETF Trust's
345 Legal Provisions Relating to IETF Documents
346 (http://trustee.ietf.org/license-info).
348 This version of this YANG module is part of RFC XXXX; see
349 the RFC itself for full legal notices.";
351 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
353 revision "2017-10-30" {
354 description
355 "Initial version";
356 reference
357 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
358 }
360 // features
362 feature ssh-client-transport-params-config {
363 description
364 "SSH transport layer parameters are configurable on an SSH
365 client.";
366 }
368 // groupings
370 grouping ssh-client-grouping {
371 description
372 "A reusable grouping for configuring a SSH client without
373 any consideration for how an underlying TCP session is
374 established.";
376 container client-identity {
377 description
378 "The credentials used by the client to authenticate to
379 the SSH server.";
381 leaf username {
382 type string;
383 description
384 "The username of this user. This will be the username
385 used, for instance, to log into an SSH server.";
386 }
388 choice auth-type {
389 mandatory true;
390 description
391 "The authentication type.";
392 container certificate {
393 if-feature sshcmn:ssh-x509-certs;
394 uses ks:private-key-grouping;
395 uses ks:certificate-grouping;
396 description
397 "A certificates to be used for client authentication.";
398 }
399 container public-key {
400 uses ks:private-key-grouping;
402 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
404 description
405 "A public key to be used for client authentication.";
406 }
407 leaf password {
408 nacm:default-deny-all;
409 type string;
410 description
411 "A password to be used for client authentication.";
412 }
413 }
414 } // end client-auth
416 container server-auth {
417 must 'pinned-ssh-host-keys or pinned-ca-certs or '
418 + 'pinned-server-certs';
419 description
420 "Trusted server identities.";
421 leaf pinned-ssh-host-keys {
422 type ks:pinned-host-keys;
423 description
424 "A reference to a list of SSH host keys used by the
425 SSH client to authenticate SSH server host keys.
426 A server host key is authenticated if it is an exact
427 match to a configured SSH host key.";
428 }
430 leaf pinned-ca-certs {
431 if-feature sshcmn:ssh-x509-certs;
432 type ks:pinned-certificates;
433 description
434 "A reference to a list of certificate authority (CA)
435 certificates used by the SSH client to authenticate
436 SSH server certificates. A server certificate is
437 authenticated if it has a valid chain of trust to
438 a configured CA certificate.";
439 }
441 leaf pinned-server-certs {
442 if-feature sshcmn:ssh-x509-certs;
443 type ks:pinned-certificates;
444 description
445 "A reference to a list of server certificates used by
446 the SSH client to authenticate SSH server certificates.
447 A server certificate is authenticated if it is an
448 exact match to a configured server certificate.";
449 }
450 } // end server-auth
452 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
454 container transport-params {
455 if-feature ssh-client-transport-params-config;
456 description
457 "Configurable parameters of the SSH transport layer.";
458 uses sshcmn:transport-params-grouping;
459 }
461 }
462 }
463
465 4. The SSH Server Model
467 The SSH server model presented in this section contains one YANG
468 grouping, for just the SSH-level configuration, omitting, for
469 instance, configuration for which ports to open to listen for
470 connections on.
472 This grouping references data nodes defined by the keystore model
473 [I-D.ietf-netconf-keystore]. For instance, a reference to the
474 keystore model is made to indicate which host key a server should
475 present.
477 4.1. Tree Diagram
479 The following tree diagram [I-D.ietf-netmod-yang-tree-diagrams]
480 provides an overview of the data model for the "ietf-ssh-server"
481 module.
483 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
485 module: ietf-ssh-server
487 grouping ssh-server-grouping
488 +---- server-identity
489 | +---- host-key* [name]
490 | +---- name? string
491 | +---- (host-key-type)
492 | +--:(public-key)
493 | | +---- public-key
494 | | +---- algorithm? identityref
495 | | +---- private-key? union
496 | | +---- public-key? binary
497 | | +---x generate-private-key
498 | | +---w input
499 | | +---w algorithm identityref
500 | +--:(certificate)
501 | +---- certificate {sshcmn:ssh-x509-certs}?
502 | +---- algorithm?
503 | | identityref
504 | +---- private-key?
505 | | union
506 | +---- public-key?
507 | | binary
508 | +---x generate-private-key
509 | | +---w input
510 | | +---w algorithm identityref
511 | +---- certificates
512 | | +---- certificate* [name]
513 | | +---- name? string
514 | | +---- value? binary
515 | +---x generate-certificate-signing-request
516 | +---w input
517 | | +---w subject binary
518 | | +---w attributes? binary
519 | +--ro output
520 | +--ro certificate-signing-request binary
521 +---- client-cert-auth {sshcmn:ssh-x509-certs}?
522 | +---- pinned-ca-certs? ks:pinned-certificates
523 | +---- pinned-client-certs? ks:pinned-certificates
524 +---- transport-params {ssh-server-transport-params-config}?
525 +---- host-key
526 | +---- host-key-alg* identityref
527 +---- key-exchange
528 | +---- key-exchange-alg* identityref
529 +---- encryption
530 | +---- encryption-alg* identityref
531 +---- mac
532 +---- mac-alg* identityref
534 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
536 4.2. Example Usage
538 This section shows how it would appear if the ssh-server-grouping
539 were populated with some data. This example is consistent with the
540 examples presented in Section 2.2 of [I-D.ietf-netconf-keystore].
542 [ note: '\' line wrapping for formatting only]
544 \
546
550
551
552
553 deployment-specific-certificate
554
555 ks:secp521r1
557 base64encodedvalue==
558 base64encodedvalue==
559
560
561
563
564
565 deployment-specific-ca-certs
566 explicitly-trusted-client-certs
568
570
571
572 algs:ssh-rsa
573
574
575
576 algs:diffie-hellman-group-exchange-sha256
577
578
579
580 algs:aes256-ctr
581 algs:aes192-ctr
582 algs:aes128-ctr
583 algs:aes256-cbc
585 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
587 algs:aes192-cbc
588 algs:aes128-cbc
589
590
591 algs:hmac-sha2-256
592 algs:hmac-sha2-512
593
594
595 algs:none
596
597
599
601 4.3. YANG Module
603 This YANG module has normative references to [RFC4253], [RFC6991],
604 and [I-D.ietf-netconf-keystore].
606 file "ietf-ssh-server@2017-10-30.yang"
607 module ietf-ssh-server {
608 yang-version 1.1;
610 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
611 prefix "sshs";
613 import ietf-ssh-common {
614 prefix sshcmn;
615 revision-date 2017-10-30; // stable grouping definitions
616 reference
617 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
618 }
620 import ietf-keystore {
621 prefix ks;
622 reference
623 "RFC YYYY: Keystore Model";
624 }
626 organization
627 "IETF NETCONF (Network Configuration) Working Group";
629 contact
630 "WG Web:
631 WG List:
633 Author: Kent Watsen
634
636 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
638 Author: Gary Wu
639 ";
641 description
642 "This module defines a reusable grouping for a SSH server that
643 can be used as a basis for specific SSH server instances.
645 Copyright (c) 2017 IETF Trust and the persons identified as
646 authors of the code. All rights reserved.
648 Redistribution and use in source and binary forms, with or
649 without modification, is permitted pursuant to, and subject
650 to the license terms contained in, the Simplified BSD
651 License set forth in Section 4.c of the IETF Trust's
652 Legal Provisions Relating to IETF Documents
653 (http://trustee.ietf.org/license-info).
655 This version of this YANG module is part of RFC XXXX; see
656 the RFC itself for full legal notices.";
658 revision "2017-10-30" {
659 description
660 "Initial version";
661 reference
662 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
663 }
665 // features
667 feature ssh-server-transport-params-config {
668 description
669 "SSH transport layer parameters are configurable on an SSH
670 server.";
671 }
673 // groupings
675 grouping ssh-server-grouping {
676 description
677 "A reusable grouping for configuring a SSH server without
678 any consideration for how underlying TCP sessions are
679 established.";
680 container server-identity {
681 description
682 "The list of host-keys the SSH server will present when
683 establishing a SSH connection.";
684 list host-key {
686 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
688 key name;
689 min-elements 1;
690 ordered-by user;
691 description
692 "An ordered list of host keys the SSH server will use to
693 construct its ordered list of algorithms, when sending
694 its SSH_MSG_KEXINIT message, as defined in Section 7.1
695 of RFC 4253.";
696 reference
697 "RFC 4253: The Secure Shell (SSH) Transport Layer
698 Protocol";
699 leaf name {
700 type string;
701 description
702 "An arbitrary name for this host-key";
703 }
704 choice host-key-type {
705 mandatory true;
706 description
707 "The type of host key being specified";
708 container public-key {
709 uses ks:private-key-grouping;
710 description
711 "The SSH server uses a public-key for its host key.";
712 }
713 container certificate {
714 if-feature sshcmn:ssh-x509-certs;
715 uses ks:private-key-grouping;
716 uses ks:certificate-grouping;
717 description
718 "The SSH server uses a certificate for its host key.";
719 }
720 }
721 }
722 }
724 container client-cert-auth {
725 if-feature sshcmn:ssh-x509-certs;
726 description
727 "A reference to a list of pinned certificate authority (CA)
728 certificates and a reference to a list of pinned client
729 certificates.";
730 leaf pinned-ca-certs {
731 type ks:pinned-certificates;
732 description
733 "A reference to a list of certificate authority (CA)
734 certificates used by the SSH server to authenticate
735 SSH client certificates. A client certificate is
737 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
739 authenticated if it has a valid chain of trust to
740 a configured pinned CA certificate.";
741 }
742 leaf pinned-client-certs {
743 type ks:pinned-certificates;
744 description
745 "A reference to a list of client certificates used by
746 the SSH server to authenticate SSH client certificates.
747 A clients certificate is authenticated if it is an
748 exact match to a configured pinned client certificate.";
749 }
750 }
752 container transport-params {
753 if-feature ssh-server-transport-params-config;
754 description
755 "Configurable parameters of the SSH transport layer.";
756 uses sshcmn:transport-params-grouping;
757 }
759 }
760 }
761
763 5. The SSH Common Model
765 The SSH common model presented in this section contains identities
766 and groupings common to both SSH clients and SSH servers. The
767 transport-params-grouping can be used to configure the list of SSH
768 transport algorithms permitted by the SSH client or SSH server. The
769 lists of algorithms are ordered such that, if multiple algorithms are
770 permitted by the client, the algorithm that appears first in its list
771 that is also permitted by the server is used for the SSH transport
772 layer connection. The ability to restrict the the algorithms allowed
773 is provided in this grouping for SSH clients and SSH servers that are
774 capable of doing so and may serve to make SSH clients and SSH servers
775 compliant with security policies.
777 Features are defined for algorithms that are OPTIONAL or are not
778 widely supported by popular implementations. Note that the list of
779 algorithms is not exhaustive. As well, some algorithms that are
780 REQUIRED by [RFC4253] are missing, notably "ssh-dss" and "diffie-
781 hellman-group1-sha1" due to their weak security and there being
782 alternatives that are widely supported.
784 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
786 5.1. Tree Diagram
788 The following tree diagram [I-D.ietf-netmod-yang-tree-diagrams]
789 provides an overview of the data model for the "ietf-ssh-common"
790 module.
792 module: ietf-ssh-common
794 grouping transport-params-grouping
795 +---- host-key
796 | +---- host-key-alg* identityref
797 +---- key-exchange
798 | +---- key-exchange-alg* identityref
799 +---- encryption
800 | +---- encryption-alg* identityref
801 +---- mac
802 +---- mac-alg* identityref
804 5.2. Example Usage
806 This section shows how it would appear if the transport-params-
807 grouping were populated with some data.
809
810
814
815 algs:x509v3-rsa2048-sha256
816 algs:ssh-rsa
817
818
819
820 algs:diffie-hellman-group-exchange-sha256
821
822
823
824 algs:aes256-ctr
825 algs:aes192-ctr
826 algs:aes128-ctr
827 algs:aes256-cbc
828 algs:aes192-cbc
829 algs:aes128-cbc
830
831
832 algs:hmac-sha2-256
833 algs:hmac-sha2-512
835 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
837
838
839 algs:none
840
842
843 sshcmn:x509v3-rsa2048-sha256
844 sshcmn:ssh-rsa
845
846
847
848 sshcmn:diffie-hellman-group-exchange-sha256
849
850
851
852 sshcmn:aes256-ctr
853 sshcmn:aes192-ctr
854 sshcmn:aes128-ctr
855 sshcmn:aes256-cbc
856 sshcmn:aes192-cbc
857 sshcmn:aes128-cbc
858
859
860 sshcmn:hmac-sha2-256
861 sshcmn:hmac-sha2-512
862
863 >>>>>>> f4046cc2ee2316422f0a1e2589efdc91c1d491ce
865
867 5.3. YANG Module
869 This YANG module has normative references to [RFC4344], [RFC4419],
870 [RFC5656], and [RFC6668].
872 file "ietf-ssh-common@2017-10-30.yang"
873 module ietf-ssh-common {
874 yang-version 1.1;
876 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
877 prefix "sshcmn";
879 organization
880 "IETF NETCONF (Network Configuration) Working Group";
882 contact
883 "WG Web:
884 WG List:
886 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
888 Author: Kent Watsen
889
891 Author: Gary Wu
892 ";
894 description
895 "This module defines a common features, identities, and groupings
896 for Secure Shell (SSH).
898 Copyright (c) 2017 IETF Trust and the persons identified as
899 authors of the code. All rights reserved.
901 Redistribution and use in source and binary forms, with or
902 without modification, is permitted pursuant to, and subject
903 to the license terms contained in, the Simplified BSD
904 License set forth in Section 4.c of the IETF Trust's
905 Legal Provisions Relating to IETF Documents
906 (http://trustee.ietf.org/license-info).
908 This version of this YANG module is part of RFC XXXX; see
909 the RFC itself for full legal notices.";
911 revision "2017-10-30" {
912 description
913 "Initial version";
914 reference
915 "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
916 }
918 // features
920 feature ssh-ecc {
921 description
922 "Elliptic Curve Cryptography is supported for SSH.";
923 reference
924 "RFC 5656: Elliptic Curve Algorithm Integration in the
925 Secure Shell Transport Layer";
926 }
928 feature ssh-x509-certs {
929 description
930 "X.509v3 certificates are supported for SSH as per RFC 6187.";
931 reference
932 "RFC 6187: X.509v3 Certificates for Secure Shell
933 Authentication";
934 }
936 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
938 feature ssh-dh-group-exchange {
939 description
940 "Diffie-Hellman Group Exchange is supported for SSH.";
941 reference
942 "RFC 4419: Diffie-Hellman Group Exchange for the
943 Secure Shell (SSH) Transport Layer Protocol";
944 }
946 feature ssh-ctr {
947 description
948 "SDCTR encryption mode is supported for SSH.";
949 reference
950 "RFC 4344: The Secure Shell (SSH) Transport Layer
951 Encryption Modes";
952 }
954 feature ssh-sha2 {
955 description
956 "The SHA2 family of cryptographic hash functions is supported
957 for SSH.";
958 reference
959 "FIPS PUB 180-4: Secure Hash Standard (SHS)";
960 }
962 // identities
964 identity public-key-alg-base {
965 description
966 "Base identity used to identify public key algorithms.";
967 }
969 identity ssh-dss {
970 base public-key-alg-base;
971 description
972 "Digital Signature Algorithm using SHA-1 as the hashing
973 algorithm.";
974 reference
975 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
976 }
978 identity ssh-rsa {
979 base public-key-alg-base;
980 description
981 "RSASSA-PKCS1-v1_5 signature scheme using SHA-1 as the hashing
982 algorithm.";
983 reference
984 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
985 }
987 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
989 identity ecdsa-sha2-nistp256 {
990 base public-key-alg-base;
991 if-feature "ssh-ecc and ssh-sha2";
992 description
993 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
994 nistp256 curve and the SHA2 family of hashing algorithms.";
995 reference
996 "RFC 5656: Elliptic Curve Algorithm Integration in the
997 Secure Shell Transport Layer";
998 }
1000 identity ecdsa-sha2-nistp384 {
1001 base public-key-alg-base;
1002 if-feature "ssh-ecc and ssh-sha2";
1003 description
1004 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1005 nistp384 curve and the SHA2 family of hashing algorithms.";
1006 reference
1007 "RFC 5656: Elliptic Curve Algorithm Integration in the
1008 Secure Shell Transport Layer";
1009 }
1011 identity ecdsa-sha2-nistp521 {
1012 base public-key-alg-base;
1013 if-feature "ssh-ecc and ssh-sha2";
1014 description
1015 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1016 nistp521 curve and the SHA2 family of hashing algorithms.";
1017 reference
1018 "RFC 5656: Elliptic Curve Algorithm Integration in the
1019 Secure Shell Transport Layer";
1020 }
1022 identity x509v3-ssh-rsa {
1023 base public-key-alg-base;
1024 if-feature ssh-x509-certs;
1025 description
1026 "RSASSA-PKCS1-v1_5 signature scheme using a public key stored
1027 in an X.509v3 certificate and using SHA-1 as the hashing
1028 algorithm.";
1029 reference
1030 "RFC 6187: X.509v3 Certificates for Secure Shell
1031 Authentication";
1032 }
1034 identity x509v3-rsa2048-sha256 {
1035 base public-key-alg-base;
1036 if-feature "ssh-x509-certs and ssh-sha2";
1038 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1040 description
1041 "RSASSA-PKCS1-v1_5 signature scheme using a public key stored
1042 in an X.509v3 certificate and using SHA-256 as the hashing
1043 algorithm. RSA keys conveyed using this format MUST have a
1044 modulus of at least 2048 bits.";
1045 reference
1046 "RFC 6187: X.509v3 Certificates for Secure Shell
1047 Authentication";
1048 }
1050 identity x509v3-ecdsa-sha2-nistp256 {
1051 base public-key-alg-base;
1052 if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
1053 description
1054 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1055 nistp256 curve with a public key stored in an X.509v3
1056 certificate and using the SHA2 family of hashing algorithms.";
1057 reference
1058 "RFC 6187: X.509v3 Certificates for Secure Shell
1059 Authentication";
1060 }
1062 identity x509v3-ecdsa-sha2-nistp384 {
1063 base public-key-alg-base;
1064 if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
1065 description
1066 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1067 nistp384 curve with a public key stored in an X.509v3
1068 certificate and using the SHA2 family of hashing algorithms.";
1069 reference
1070 "RFC 6187: X.509v3 Certificates for Secure Shell
1071 Authentication";
1072 }
1074 identity x509v3-ecdsa-sha2-nistp521 {
1075 base public-key-alg-base;
1076 if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
1077 description
1078 "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
1079 nistp521 curve with a public key stored in an X.509v3
1080 certificate and using the SHA2 family of hashing algorithms.";
1081 reference
1082 "RFC 6187: X.509v3 Certificates for Secure Shell
1083 Authentication";
1084 }
1086 identity key-exchange-alg-base {
1087 description
1089 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1091 "Base identity used to identify key exchange algorithms.";
1092 }
1094 identity diffie-hellman-group14-sha1 {
1095 base key-exchange-alg-base;
1096 description
1097 "Diffie-Hellman key exchange with SHA-1 as HASH and
1098 Oakley Group 14 (2048-bit MODP Group).";
1099 reference
1100 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1101 }
1103 identity diffie-hellman-group-exchange-sha1 {
1104 base key-exchange-alg-base;
1105 if-feature ssh-dh-group-exchange;
1106 description
1107 "Diffie-Hellman Group and Key Exchange with SHA-1 as HASH.";
1108 reference
1109 "RFC 4419: Diffie-Hellman Group Exchange for the
1110 Secure Shell (SSH) Transport Layer Protocol";
1111 }
1113 identity diffie-hellman-group-exchange-sha256 {
1114 base key-exchange-alg-base;
1115 if-feature "ssh-dh-group-exchange and ssh-sha2";
1116 description
1117 "Diffie-Hellman Group and Key Exchange with SHA-256 as HASH.";
1118 reference
1119 "RFC 4419: Diffie-Hellman Group Exchange for the
1120 Secure Shell (SSH) Transport Layer Protocol";
1121 }
1123 identity ecdh-sha2-nistp256 {
1124 base key-exchange-alg-base;
1125 if-feature "ssh-ecc and ssh-sha2";
1126 description
1127 "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
1128 nistp256 curve and the SHA2 family of hashing algorithms.";
1129 reference
1130 "RFC 5656: Elliptic Curve Algorithm Integration in the
1131 Secure Shell Transport Layer";
1132 }
1134 identity ecdh-sha2-nistp384 {
1135 base key-exchange-alg-base;
1136 if-feature "ssh-ecc and ssh-sha2";
1137 description
1138 "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
1140 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1142 nistp384 curve and the SHA2 family of hashing algorithms.";
1143 reference
1144 "RFC 5656: Elliptic Curve Algorithm Integration in the
1145 Secure Shell Transport Layer";
1146 }
1148 identity ecdh-sha2-nistp521 {
1149 base key-exchange-alg-base;
1150 if-feature "ssh-ecc and ssh-sha2";
1151 description
1152 "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
1153 nistp521 curve and the SHA2 family of hashing algorithms.";
1154 reference
1155 "RFC 5656: Elliptic Curve Algorithm Integration in the
1156 Secure Shell Transport Layer";
1157 }
1159 identity encryption-alg-base {
1160 description
1161 "Base identity used to identify encryption algorithms.";
1162 }
1164 identity triple-des-cbc {
1165 base encryption-alg-base;
1166 description
1167 "Three-key 3DES in CBC mode.";
1168 reference
1169 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1170 }
1172 identity aes128-cbc {
1173 base encryption-alg-base;
1174 description
1175 "AES in CBC mode, with a 128-bit key.";
1176 reference
1177 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1178 }
1180 identity aes192-cbc {
1181 base encryption-alg-base;
1182 description
1183 "AES in CBC mode, with a 192-bit key.";
1184 reference
1185 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1186 }
1188 identity aes256-cbc {
1189 base encryption-alg-base;
1191 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1193 description
1194 "AES in CBC mode, with a 256-bit key.";
1195 reference
1196 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1197 }
1199 identity aes128-ctr {
1200 base encryption-alg-base;
1201 if-feature ssh-ctr;
1202 description
1203 "AES in SDCTR mode, with 128-bit key.";
1204 reference
1205 "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
1206 Modes";
1207 }
1209 identity aes192-ctr {
1210 base encryption-alg-base;
1211 if-feature ssh-ctr;
1212 description
1213 "AES in SDCTR mode, with 192-bit key.";
1214 reference
1215 "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
1216 Modes";
1217 }
1219 identity aes256-ctr {
1220 base encryption-alg-base;
1221 if-feature ssh-ctr;
1222 description
1223 "AES in SDCTR mode, with 256-bit key.";
1224 reference
1225 "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
1226 Modes";
1227 }
1229 identity mac-alg-base {
1230 description
1231 "Base identity used to identify message authentication
1232 code (MAC) algorithms.";
1233 }
1235 identity hmac-sha1 {
1236 base mac-alg-base;
1237 description
1238 "HMAC-SHA1";
1239 reference
1240 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1242 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1244 }
1246 identity hmac-sha2-256 {
1247 base mac-alg-base;
1248 if-feature "ssh-sha2";
1249 description
1250 "HMAC-SHA2-256";
1251 reference
1252 "RFC 6668: SHA-2 Data Integrity Verification for the
1253 Secure Shell (SSH) Transport Layer Protocol";
1254 }
1256 identity hmac-sha2-512 {
1257 base mac-alg-base;
1258 if-feature "ssh-sha2";
1259 description
1260 "HMAC-SHA2-512";
1261 reference
1262 "RFC 6668: SHA-2 Data Integrity Verification for the
1263 Secure Shell (SSH) Transport Layer Protocol";
1264 }
1266 // groupings
1268 grouping transport-params-grouping {
1269 description
1270 "A reusable grouping for SSH transport parameters.";
1271 reference
1272 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
1273 container host-key {
1274 description
1275 "Parameters regarding host key.";
1276 leaf-list host-key-alg {
1277 type identityref {
1278 base public-key-alg-base;
1279 }
1280 ordered-by user;
1281 description
1282 "Acceptable host key algorithms in order of descending
1283 preference.
1285 If this leaf-list is not configured (has zero elements)
1286 the acceptable host key algorithms are implementation-
1287 defined.";
1288 }
1289 }
1290 container key-exchange {
1291 description
1293 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1295 "Parameters regarding key exchange.";
1296 leaf-list key-exchange-alg {
1297 type identityref {
1298 base key-exchange-alg-base;
1299 }
1300 ordered-by user;
1301 description
1302 "Acceptable key exchange algorithms in order of descending
1303 preference.
1305 If this leaf-list is not configured (has zero elements)
1306 the acceptable key exchange algorithms are implementation-
1307 defined.";
1308 }
1309 }
1310 container encryption {
1311 description
1312 "Parameters regarding encryption.";
1313 leaf-list encryption-alg {
1314 type identityref {
1315 base encryption-alg-base;
1316 }
1317 ordered-by user;
1318 description
1319 "Acceptable encryption algorithms in order of descending
1320 preference.
1322 If this leaf-list is not configured (has zero elements)
1323 the acceptable encryption algorithms are implementation-
1324 defined.";
1325 }
1326 }
1327 container mac {
1328 description
1329 "Parameters regarding message authentication code (MAC).";
1330 leaf-list mac-alg {
1331 type identityref {
1332 base mac-alg-base;
1333 }
1334 ordered-by user;
1335 description
1336 "Acceptable MAC algorithms in order of descending
1337 preference.
1339 If this leaf-list is not configured (has zero elements)
1340 the acceptable MAC algorithms are implementation-
1341 defined.";
1342 }
1344 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1346 }
1348 } // transport-params-grouping
1350 }
1351
1353 6. Security Considerations
1355 The YANG modules defined in this document are designed to be accessed
1356 via YANG based management protocols, such as NETCONF [RFC6241] and
1357 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1358 implement secure transport layers (e.g., SSH, TLS) with mutual
1359 authentication.
1361 The NETCONF access control model (NACM) [RFC6536] provides the means
1362 to restrict access for particular users to a pre-configured subset of
1363 all available protocol operations and content.
1365 Since the modules defined in this document define only groupings,
1366 these considerations are primarily for the designers of other modules
1367 that use these groupings.
1369 There are a number of data nodes defined in the YANG modules that are
1370 writable/creatable/deletable (i.e., config true, which is the
1371 default). These data nodes may be considered sensitive or vulnerable
1372 in some network environments. Write operations (e.g., edit-config)
1373 to these data nodes without proper protection can have a negative
1374 effect on network operations. These are the subtrees and data nodes
1375 and their sensitivity/vulnerability:
1377 /: The entire data tree defined by all the modules defined in this
1378 draft are sensitive to write operations. For instance, the
1379 addition or removal of references to keys, certificates,
1380 trusted anchors, etc., can dramatically alter the implemented
1381 security policy. However, no NACM annotations are applied as
1382 the data SHOULD be editable by users other than a designated
1383 'recovery session'.
1385 Some of the readable data nodes in the YANG modules may be considered
1386 sensitive or vulnerable in some network environments. It is thus
1387 important to control read access (e.g., via get, get-config, or
1388 notification) to these data nodes. These are the subtrees and data
1389 nodes and their sensitivity/vulnerability:
1391 /client-auth/password: This node in the 'ietf-ssh-client' module
1392 is additionally sensitive to read operations such that, in
1393 normal use cases, it should never be returned to a client. The
1395 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1397 only time this node should be returned is to support backup/
1398 restore type workflows. This being the case, this node is
1399 marked with the NACM value 'default-deny-all'.
1401 Some of the RPC operations in this YANG module may be considered
1402 sensitive or vulnerable in some network environments. It is thus
1403 important to control access to these operations. These are the
1404 operations and their sensitivity/vulnerability:
1406 NONE
1408 7. IANA Considerations
1410 7.1. The IETF XML Registry
1412 This document registers three URIs in the IETF XML registry
1413 [RFC3688]. Following the format in [RFC3688], the following
1414 registrations are requested:
1416 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-client
1417 Registrant Contact: The NETCONF WG of the IETF.
1418 XML: N/A, the requested URI is an XML namespace.
1420 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-server
1421 Registrant Contact: The NETCONF WG of the IETF.
1422 XML: N/A, the requested URI is an XML namespace.
1424 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-common
1425 Registrant Contact: The NETCONF WG of the IETF.
1426 XML: N/A, the requested URI is an XML namespace.
1428 7.2. The YANG Module Names Registry
1430 This document registers three YANG modules in the YANG Module Names
1431 registry [RFC7950]. Following the format in [RFC7950], the the
1432 following registrations are requested:
1434 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1436 name: ietf-ssh-client
1437 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-client
1438 prefix: sshc
1439 reference: RFC XXXX
1441 name: ietf-ssh-server
1442 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-server
1443 prefix: sshs
1444 reference: RFC XXXX
1446 name: ietf-ssh-common
1447 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-common
1448 prefix: sshcmn
1449 reference: RFC XXXX
1451 8. Acknowledgements
1453 The authors would like to thank for following for lively discussions
1454 on list and in the halls (ordered by last name): Andy Bierman, Martin
1455 Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
1456 Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
1457 Juergen Schoenwaelder, Phil Shafer, Sean Turner, Michal Vasko, and
1458 Bert Wijnen.
1460 9. References
1462 9.1. Normative References
1464 [I-D.ietf-netconf-keystore]
1465 Watsen, K., "Keystore Model", draft-ietf-netconf-
1466 keystore-02 (work in progress), June 2017.
1468 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1469 Requirement Levels", BCP 14, RFC 2119,
1470 DOI 10.17487/RFC2119, March 1997,
1471 .
1473 [RFC4344] Bellare, M., Kohno, T., and C. Namprempre, "The Secure
1474 Shell (SSH) Transport Layer Encryption Modes", RFC 4344,
1475 DOI 10.17487/RFC4344, January 2006,
1476 .
1478 [RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman
1479 Group Exchange for the Secure Shell (SSH) Transport Layer
1480 Protocol", RFC 4419, DOI 10.17487/RFC4419, March 2006,
1481 .
1483 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1485 [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm
1486 Integration in the Secure Shell Transport Layer",
1487 RFC 5656, DOI 10.17487/RFC5656, December 2009,
1488 .
1490 [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure
1491 Shell Authentication", RFC 6187, DOI 10.17487/RFC6187,
1492 March 2011, .
1494 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
1495 Protocol (NETCONF) Access Control Model", RFC 6536,
1496 DOI 10.17487/RFC6536, March 2012,
1497 .
1499 [RFC6668] Bider, D. and M. Baushke, "SHA-2 Data Integrity
1500 Verification for the Secure Shell (SSH) Transport Layer
1501 Protocol", RFC 6668, DOI 10.17487/RFC6668, July 2012,
1502 .
1504 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1505 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1506 .
1508 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1509 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1510 .
1512 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1513 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1514 May 2017, .
1516 9.2. Informative References
1518 [I-D.ietf-netmod-yang-tree-diagrams]
1519 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
1520 ietf-netmod-yang-tree-diagrams-02 (work in progress),
1521 October 2017.
1523 [OPENSSH] "OpenSSH", 2016, .
1525 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1526 DOI 10.17487/RFC3688, January 2004,
1527 .
1529 [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
1530 Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
1531 January 2006, .
1533 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1535 [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
1536 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
1537 January 2006, .
1539 [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
1540 Connection Protocol", RFC 4254, DOI 10.17487/RFC4254,
1541 January 2006, .
1543 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1544 and A. Bierman, Ed., "Network Configuration Protocol
1545 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1546 .
1548 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
1549 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
1550 .
1552 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1553 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1554 .
1556 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1557 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1558 .
1560 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1562 Appendix A. Change Log
1564 A.1. 00 to 01
1566 o Noted that '0.0.0.0' and '::' might have special meanings.
1568 o Renamed "keychain" to "keystore".
1570 A.2. 01 to 02
1572 o Removed the groupings 'listening-ssh-client-grouping' and
1573 'listening-ssh-server-grouping'. Now modules only contain the
1574 transport-independent groupings.
1576 o Simplified the "client-auth" part in the ietf-ssh-client module.
1577 It now inlines what it used to point to keystore for.
1579 o Added cipher suites for various algorithms into new 'ietf-ssh-
1580 common' module.
1582 A.3. 02 to 03
1584 o Removed 'RESTRICTED' enum from 'password' leaf type.
1586 o Added a 'must' statement to container 'server-auth' asserting that
1587 at least one of the various auth mechanisms must be specified.
1589 o Fixed description statement for leaf 'trusted-ca-certs'.
1591 A.4. 03 to 04
1593 o Change title to "YANG Groupings for SSH Clients and SSH Servers"
1595 o Added reference to RFC 6668
1597 o Added RFC 8174 to Requirements Language Section.
1599 o Enhanced description statement for ietf-ssh-server's "trusted-ca-
1600 certs" leaf.
1602 o Added mandatory true to ietf-ssh-client's "client-auth" 'choice'
1603 statement.
1605 o Changed the YANG prefix for module ietf-ssh-common from 'sshcom'
1606 to 'sshcmn'.
1608 o Removed the compression algorithms as they are not commonly
1609 configurable in vendors' implementations.
1611 Internet-DrafYANG Groupings for SSH Clients and SSH Servers October 2017
1613 o Updating descriptions in transport-params-grouping and the
1614 servers's usage of it.
1616 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
1618 o Updated YANG to use typedefs around leafrefs to common keystore
1619 paths
1621 o Now inlines key and certificates (no longer a leafref to keystore)
1623 A.5. 04 to 05
1625 o Merged changes from co-author.
1627 Authors' Addresses
1629 Kent Watsen
1630 Juniper Networks
1632 EMail: kwatsen@juniper.net
1634 Gary Wu
1635 Cisco Systems
1637 EMail: garywu@cisco.com