idnits 2.17.1 draft-ietf-netconf-ssh-client-server-25.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1110 has weird spacing: '...ificate has a...' -- The document date (18 June 2021) is 1014 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-netconf-crypto-types-19 == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-21 == Outdated reference: A later version (-28) exists of draft-ietf-netconf-trust-anchors-14 == Outdated reference: A later version (-20) exists of draft-ietf-netconf-http-client-server-07 == Outdated reference: A later version (-36) exists of draft-ietf-netconf-netconf-client-server-23 == Outdated reference: A later version (-36) exists of draft-ietf-netconf-restconf-client-server-23 == Outdated reference: A later version (-40) exists of draft-ietf-netconf-ssh-client-server-24 == Outdated reference: A later version (-24) exists of draft-ietf-netconf-tcp-client-server-10 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-24 Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track 18 June 2021 5 Expires: 20 December 2021 7 YANG Groupings for SSH Clients and SSH Servers 8 draft-ietf-netconf-ssh-client-server-25 10 Abstract 12 This document defines three YANG 1.1 modules: the first defines 13 features and groupings common to both SSH clients and SSH servers, 14 the second defines a grouping for a generic SSH client, and the third 15 defines a grouping for a generic SSH server. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains placeholder values that need to be replaced with 20 finalized values at the time of publication. This note summarizes 21 all of the substitutions that are needed. No other RFC Editor 22 instructions are specified elsewhere in this document. 24 Artwork in this document contains shorthand references to drafts in 25 progress. Please apply the following replacements: 27 * "AAAA" --> the assigned RFC value for draft-ietf-netconf-crypto- 28 types 30 * "BBBB" --> the assigned RFC value for draft-ietf-netconf-trust- 31 anchors 33 * "CCCC" --> the assigned RFC value for draft-ietf-netconf-keystore 35 * "DDDD" --> the assigned RFC value for draft-ietf-netconf-tcp- 36 client-server 38 * "EEEE" --> the assigned RFC value for this draft 40 Artwork in this document contains placeholder values for the date of 41 publication of this draft. Please apply the following replacement: 43 * "2021-06-18" --> the publication date of this draft 45 The following Appendix section is to be removed prior to publication: 47 * Appendix B. Change Log 49 Status of This Memo 51 This Internet-Draft is submitted in full conformance with the 52 provisions of BCP 78 and BCP 79. 54 Internet-Drafts are working documents of the Internet Engineering 55 Task Force (IETF). Note that other groups may also distribute 56 working documents as Internet-Drafts. The list of current Internet- 57 Drafts is at https://datatracker.ietf.org/drafts/current/. 59 Internet-Drafts are draft documents valid for a maximum of six months 60 and may be updated, replaced, or obsoleted by other documents at any 61 time. It is inappropriate to use Internet-Drafts as reference 62 material or to cite them other than as "work in progress." 64 This Internet-Draft will expire on 20 December 2021. 66 Copyright Notice 68 Copyright (c) 2021 IETF Trust and the persons identified as the 69 document authors. All rights reserved. 71 This document is subject to BCP 78 and the IETF Trust's Legal 72 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 73 license-info) in effect on the date of publication of this document. 74 Please review these documents carefully, as they describe your rights 75 and restrictions with respect to this document. Code Components 76 extracted from this document must include Simplified BSD License text 77 as described in Section 4.e of the Trust Legal Provisions and are 78 provided without warranty as described in the Simplified BSD License. 80 Table of Contents 82 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 83 1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 5 84 1.2. Specification Language . . . . . . . . . . . . . . . . . 6 85 1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6 86 2. The "ietf-ssh-common" Module . . . . . . . . . . . . . . . . 6 87 2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 7 88 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 8 89 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9 90 3. The "ietf-ssh-client" Module . . . . . . . . . . . . . . . . 13 91 3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 13 92 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 16 93 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 20 94 4. The "ietf-ssh-server" Module . . . . . . . . . . . . . . . . 27 95 4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 27 96 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 30 97 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 34 98 5. Security Considerations . . . . . . . . . . . . . . . . . . . 43 99 5.1. The "iana-ssh-key-exchange-algs" Module . . . . . . . . . 43 100 5.2. The "iana-ssh-encryption-algs" Module . . . . . . . . . . 43 101 5.3. The "iana-ssh-mac-algs" Module . . . . . . . . . . . . . 44 102 5.4. The "iana-ssh-public-key-algs" Module . . . . . . . . . . 44 103 5.5. The "ietf-ssh-common" YANG Module . . . . . . . . . . . . 45 104 5.6. The "ietf-ssh-client" YANG Module . . . . . . . . . . . . 46 105 5.7. The "ietf-ssh-server" YANG Module . . . . . . . . . . . . 47 106 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 107 6.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 47 108 6.2. The "YANG Module Names" Registry . . . . . . . . . . . . 48 109 6.3. The "iana-ssh-encryption-algs" Module . . . . . . . . . . 49 110 6.4. The "iana-ssh-mac-algs" Module . . . . . . . . . . . . . 50 111 6.5. The "iana-ssh-public-key-algs" Module . . . . . . . . . . 50 112 6.6. The "iana-ssh-key-exchange-algs" Module . . . . . . . . . 51 113 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 114 7.1. Normative References . . . . . . . . . . . . . . . . . . 51 115 7.2. Informative References . . . . . . . . . . . . . . . . . 53 116 Appendix A. YANG Modules for IANA . . . . . . . . . . . . . . . 55 117 A.1. Initial Module for the "Encryption Algorithm Names" 118 Registry . . . . . . . . . . . . . . . . . . . . . . . . 55 119 A.1.1. Data Model Overview . . . . . . . . . . . . . . . . . 56 120 A.1.2. Example Usage . . . . . . . . . . . . . . . . . . . . 56 121 A.1.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 57 122 A.2. Initial Module for the "MAC Algorithm Names" Registry . . 65 123 A.2.1. Data Model Overview . . . . . . . . . . . . . . . . . 65 124 A.2.2. Example Usage . . . . . . . . . . . . . . . . . . . . 66 125 A.2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 66 126 A.3. Initial Module for the "Public Key Algorithm Names" 127 Registry . . . . . . . . . . . . . . . . . . . . . . . . 69 128 A.3.1. Data Model Overview . . . . . . . . . . . . . . . . . 69 129 A.3.2. Example Usage . . . . . . . . . . . . . . . . . . . . 70 130 A.3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 71 131 A.4. Initial Module for the "Key Exchange Method Names" 132 Registry . . . . . . . . . . . . . . . . . . . . . . . . 80 133 A.4.1. Data Model Overview . . . . . . . . . . . . . . . . . 80 134 A.4.2. Example Usage . . . . . . . . . . . . . . . . . . . . 80 135 A.4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 81 136 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 127 137 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 127 138 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 127 139 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 128 140 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 128 141 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 128 142 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 128 143 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 129 144 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 129 145 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 129 146 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 129 147 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 129 148 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 129 149 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 130 150 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 130 151 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 130 152 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 130 153 B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 131 154 B.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 131 155 B.19. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 131 156 B.20. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 132 157 B.21. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 132 158 B.22. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 132 159 B.23. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 132 160 B.24. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 133 161 B.25. 24 to 25 . . . . . . . . . . . . . . . . . . . . . . . . 133 162 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 133 163 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 133 164 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 134 166 1. Introduction 168 This document defines three YANG 1.1 [RFC7950] modules: the first 169 defines features and groupings common to both SSH clients and SSH 170 servers, the second defines a grouping for a generic SSH client, and 171 the third defines a grouping for a generic SSH server. It is 172 intended that these groupings will be used by applications using the 173 SSH protocol [RFC4252], [RFC4253], and [RFC4254]. For instance, 174 these groupings could be used to help define the data model for an 175 OpenSSH [OPENSSH] server or a NETCONF over SSH [RFC6242] based 176 server. 178 The client and server YANG modules in this document each define one 179 grouping, which is focused on just SSH-specific configuration, and 180 specifically avoids any transport-level configuration, such as what 181 ports to listen on or connect to. This affords applications the 182 opportunity to define their own strategy for how the underlying TCP 183 connection is established. For instance, applications supporting 184 NETCONF Call Home [RFC8071] could use the "ssh-server-grouping" 185 grouping for the SSH parts it provides, while adding data nodes for 186 the TCP-level call-home configuration. 188 The modules defined in this document use groupings defined in 189 [I-D.ietf-netconf-keystore] enabling keys to be either locally 190 defined or a reference to globally configured values. 192 The modules defined in this document optionally support [RFC6187] 193 enabling X.509v3 certificate based host keys and public keys. 195 1.1. Relation to other RFCs 197 This document presents one or more YANG modules [RFC7950] that are 198 part of a collection of RFCs that work together to, ultimately, 199 enable the configuration of the clients and servers of both the 200 NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. 202 The modules have been defined in a modular fashion to enable their 203 use by other efforts, some of which are known to be in progress at 204 the time of this writing, with many more expected to be defined in 205 time. 207 The normative dependency relationship between the various RFCs in the 208 collection is presented in the below diagram. The labels in the 209 diagram represent the primary purpose provided by each RFC. 210 Hyperlinks to each RFC are provided below the diagram. 212 crypto-types 213 ^ ^ 214 / \ 215 / \ 216 truststore keystore 217 ^ ^ ^ ^ 218 | +---------+ | | 219 | | | | 220 | +------------+ | 221 tcp-client-server | / | | 222 ^ ^ ssh-client-server | | 223 | | ^ tls-client-server 224 | | | ^ ^ http-client-server 225 | | | | | ^ 226 | | | +-----+ +---------+ | 227 | | | | | | 228 | +-----------|--------|--------------+ | | 229 | | | | | | 230 +-----------+ | | | | | 231 | | | | | | 232 | | | | | | 233 netconf-client-server restconf-client-server 235 +=======================+===========================================+ 236 |Label in Diagram | Originating RFC | 237 +=======================+===========================================+ 238 |crypto-types | [I-D.ietf-netconf-crypto-types] | 239 +-----------------------+-------------------------------------------+ 240 |truststore | [I-D.ietf-netconf-trust-anchors] | 241 +-----------------------+-------------------------------------------+ 242 |keystore | [I-D.ietf-netconf-keystore] | 243 +-----------------------+-------------------------------------------+ 244 |tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | 245 +-----------------------+-------------------------------------------+ 246 |ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | 247 +-----------------------+-------------------------------------------+ 248 |tls-client-server | [I-D.ietf-netconf-tls-client-server] | 249 +-----------------------+-------------------------------------------+ 250 |http-client-server | [I-D.ietf-netconf-http-client-server] | 251 +-----------------------+-------------------------------------------+ 252 |netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | 253 +-----------------------+-------------------------------------------+ 254 |restconf-client-server | [I-D.ietf-netconf-restconf-client-server] | 255 +-----------------------+-------------------------------------------+ 257 Table 1: Label to RFC Mapping 259 1.2. Specification Language 261 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 262 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 263 "OPTIONAL" in this document are to be interpreted as described in BCP 264 14 [RFC2119] [RFC8174] when, and only when, they appear in all 265 capitals, as shown here. 267 1.3. Adherence to the NMDA 269 This document is compliant with the Network Management Datastore 270 Architecture (NMDA) [RFC8342]. For instance, as described in 271 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], 272 trust anchors and keys installed during manufacturing are expected to 273 appear in . 275 2. The "ietf-ssh-common" Module 277 The SSH common model presented in this section contains features and 278 groupings common to both SSH clients and SSH servers. The 279 "transport-params-grouping" grouping can be used to configure the 280 list of SSH transport algorithms permitted by the SSH client or SSH 281 server. The lists of algorithms are ordered such that, if multiple 282 algorithms are permitted by the client, the algorithm that appears 283 first in its list that is also permitted by the server is used for 284 the SSH transport layer connection. The ability to restrict the 285 algorithms allowed is provided in this grouping for SSH clients and 286 SSH servers that are capable of doing so and may serve to make SSH 287 clients and SSH servers compliant with security policies. 289 2.1. Data Model Overview 291 This section provides an overview of the "ietf-ssh-common" module in 292 terms of its features, identities, and groupings. 294 2.1.1. Features 296 The following diagram lists all the "feature" statements defined in 297 the "ietf-ssh-common" module: 299 Features: 300 +-- ssh-x509-certs 301 +-- transport-params 303 | The diagram above uses syntax that is similar to but not 304 | defined in [RFC8340]. 306 2.1.2. Groupings 308 The "ietf-ssh-common" module defines the following "grouping" 309 statement: 311 * transport-params-grouping 313 This grouping is presented in the following subsection. 315 2.1.2.1. The "transport-params-grouping" Grouping 317 The following tree diagram [RFC8340] illustrates the "transport- 318 params-grouping" grouping: 320 grouping transport-params-grouping 321 +-- host-key 322 | +-- host-key-alg* identityref 323 +-- key-exchange 324 | +-- key-exchange-alg* identityref 325 +-- encryption 326 | +-- encryption-alg* identityref 327 +-- mac 328 +-- mac-alg* identityref 330 Comments: 332 * This grouping is used by both the "ssh-client-grouping" and the 333 "ssh-server-grouping" groupings defined in Section 3.1.2.1 and 334 Section 4.1.2.1, respectively. 336 * This grouping enables client and server configurations to specify 337 the algorithms that are to be used when establishing SSH sessions. 339 * Each list is "ordered-by user". 341 2.1.3. Protocol-accessible Nodes 343 The "ietf-ssh-common" module defines only "grouping" statements that 344 are used by other modules to instantiate protocol-accessible nodes. 346 2.2. Example Usage 348 This following example illustrates how the "transport-params- 349 grouping' grouping appears when populated with some data. 351 =============== NOTE: '\' line wrapping per RFC 8792 ================ 353 354 356 364 365 sshpka:x509v3-rsa2048-sha256 366 sshpka:ssh-rsa 367 368 369 370 sshkea:diffie-hellman-group-exchange-sha256 371 372 373 374 sshea:aes256-ctr 375 sshea:aes192-ctr 376 sshea:aes128-ctr 377 sshea:aes256-cbc 378 sshea:aes192-cbc 379 sshea:aes128-cbc 380 381 382 sshma:hmac-sha2-256 383 sshma:hmac-sha2-512 384 385 387 2.3. YANG Module 389 This YANG module has normative references to [RFC4253], [RFC4344], 390 [RFC4419], [RFC5656], [RFC6187], and [RFC6668]. 392 file "ietf-ssh-common@2021-06-18.yang" 393 module ietf-ssh-common { 394 yang-version 1.1; 395 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; 396 prefix sshcmn; 398 import iana-ssh-encryption-algs { 399 prefix sshea; 400 reference 401 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 402 } 404 import iana-ssh-key-exchange-algs { 405 prefix sshkea; 406 reference 407 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 408 } 410 import iana-ssh-mac-algs { 411 prefix sshma; 412 reference 413 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 414 } 416 import iana-ssh-public-key-algs { 417 prefix sshpka; 418 reference 419 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 420 } 422 organization 423 "IETF NETCONF (Network Configuration) Working Group"; 425 contact 426 "WG Web: 427 WG List: 428 Author: Kent Watsen 429 Author: Gary Wu "; 431 description 432 "This module defines a common features and groupings for 433 Secure Shell (SSH). 435 Copyright (c) 2021 IETF Trust and the persons identified 436 as authors of the code. All rights reserved. 438 Redistribution and use in source and binary forms, with 439 or without modification, is permitted pursuant to, and 440 subject to the license terms contained in, the Simplified 441 BSD License set forth in Section 4.c of the IETF Trust's 442 Legal Provisions Relating to IETF Documents 443 (https://trustee.ietf.org/license-info). 445 This version of this YANG module is part of RFC EEEE 446 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 447 itself for full legal notices. 449 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 450 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 451 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 452 are to be interpreted as described in BCP 14 (RFC 2119) 453 (RFC 8174) when, and only when, they appear in all 454 capitals, as shown here."; 456 revision 2021-06-18 { 457 description 458 "Initial version"; 459 reference 460 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 461 } 463 // Features 465 feature ssh-x509-certs { 466 description 467 "X.509v3 certificates are supported for SSH."; 468 reference 469 "RFC 6187: X.509v3 Certificates for Secure Shell 470 Authentication"; 471 } 473 feature transport-params { 474 description 475 "SSH transport layer parameters are configurable."; 476 } 478 // Groupings 480 grouping transport-params-grouping { 481 description 482 "A reusable grouping for SSH transport parameters."; 483 reference 484 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; 485 container host-key { 486 description 487 "Parameters regarding host key."; 488 leaf-list host-key-alg { 489 type identityref { 490 base sshpka:public-key-alg-base; 491 } 492 ordered-by user; 493 description 494 "Acceptable host key algorithms in order of descending 495 preference. The configured host key algorithms should 496 be compatible with the algorithm used by the configured 497 private key. Please see Section 5 of RFC EEEE for 498 valid combinations. 500 If this leaf-list is not configured (has zero elements) 501 the acceptable host key algorithms are implementation- 502 defined."; 503 reference 504 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 505 } 506 } 507 container key-exchange { 508 description 509 "Parameters regarding key exchange."; 510 leaf-list key-exchange-alg { 511 type identityref { 512 base sshkea:key-exchange-alg-base; 513 } 514 ordered-by user; 515 description 516 "Acceptable key exchange algorithms in order of descending 517 preference. 519 If this leaf-list is not configured (has zero elements) 520 the acceptable key exchange algorithms are implementation 521 defined."; 522 } 523 } 524 container encryption { 525 description 526 "Parameters regarding encryption."; 527 leaf-list encryption-alg { 528 type identityref { 529 base sshea:encryption-alg-base; 530 } 531 ordered-by user; 532 description 533 "Acceptable encryption algorithms in order of descending 534 preference. 536 If this leaf-list is not configured (has zero elements) 537 the acceptable encryption algorithms are implementation 538 defined."; 539 } 540 } 541 container mac { 542 description 543 "Parameters regarding message authentication code (MAC)."; 544 leaf-list mac-alg { 545 type identityref { 546 base sshma:mac-alg-base; 547 } 548 ordered-by user; 549 description 550 "Acceptable MAC algorithms in order of descending 551 preference. 553 If this leaf-list is not configured (has zero elements) 554 the acceptable MAC algorithms are implementation- 555 defined."; 556 } 557 } 558 } 560 } 562 564 3. The "ietf-ssh-client" Module 566 This section defines a YANG 1.1 [RFC7950] module called "ietf-ssh- 567 client". A high-level overview of the module is provided in 568 Section 3.1. Examples illustrating the module's use are provided in 569 Examples (Section 3.2). The YANG module itself is defined in 570 Section 3.3. 572 3.1. Data Model Overview 574 This section provides an overview of the "ietf-ssh-client" module in 575 terms of its features and groupings. 577 3.1.1. Features 579 The following diagram lists all the "feature" statements defined in 580 the "ietf-ssh-client" module: 582 Features: 583 +-- ssh-client-keepalives 584 +-- client-ident-password 585 +-- client-ident-publickey 586 +-- client-ident-hostbased 587 +-- client-ident-none 589 | The diagram above uses syntax that is similar to but not 590 | defined in [RFC8340]. 592 3.1.2. Groupings 594 The "ietf-ssh-client" module defines the following "grouping" 595 statement: 597 * ssh-client-grouping 599 This grouping is presented in the following subsection. 601 3.1.2.1. The "ssh-client-grouping" Grouping 603 The following tree diagram [RFC8340] illustrates the "ssh-client- 604 grouping" grouping: 606 =============== NOTE: '\' line wrapping per RFC 8792 ================ 608 grouping ssh-client-grouping 609 +-- client-identity 610 | +-- username? string 611 | +-- public-key! {client-ident-publickey}? 612 | | +---u ks:local-or-keystore-asymmetric-key-grouping 613 | +-- password! {client-ident-password}? 614 | | +---u ct:password-grouping 615 | +-- hostbased! {client-ident-hostbased}? 616 | | +---u ks:local-or-keystore-asymmetric-key-grouping 617 | +-- none? empty {client-ident-none}? 618 | +-- certificate! {sshcmn:ssh-x509-certs}? 619 | +---u ks:local-or-keystore-end-entity-cert-with-key-groupi\ 620 ng 621 +-- server-authentication 622 | +-- ssh-host-keys! 623 | | +---u ts:local-or-truststore-public-keys-grouping 624 | +-- ca-certs! {sshcmn:ssh-x509-certs}? 625 | | +---u ts:local-or-truststore-certs-grouping 626 | +-- ee-certs! {sshcmn:ssh-x509-certs}? 627 | +---u ts:local-or-truststore-certs-grouping 628 +-- transport-params {sshcmn:transport-params}? 629 | +---u sshcmn:transport-params-grouping 630 +-- keepalives! {ssh-client-keepalives}? 631 +-- max-wait? uint16 632 +-- max-attempts? uint8 634 Comments: 636 * The "client-identity" node configures a "username" and 637 authentication methods, each enabled by a "feature" statement 638 defined in Section 3.1.1. 640 * The "server-authentication" node configures trust anchors for 641 authenticating the SSH server, with each option enabled by a 642 "feature" statement. 644 * The "transport-params" node, which must be enabled by a feature, 645 configures parameters for the SSH sessions established by this 646 configuration. 648 * The "keepalives" node, which must be enabled by a feature, 649 configures a "presence" container for testing the aliveness of the 650 SSH server. The aliveness-test occurs at the SSH protocol layer. 652 * For the referenced grouping statement(s): 654 - The "local-or-keystore-asymmetric-key-grouping" grouping is 655 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 656 - The "local-or-keystore-end-entity-cert-with-key-grouping" 657 grouping is discussed in Section 2.1.3.6 of 658 [I-D.ietf-netconf-keystore]. 659 - The "local-or-truststore-public-keys-grouping" grouping is 660 discussed in Section 2.1.3.2 of 661 [I-D.ietf-netconf-trust-anchors]. 662 - The "local-or-truststore-certs-grouping" grouping is discussed 663 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 664 - The "transport-params-grouping" grouping is discussed in 665 Section 2.1.2.1 in this document. 667 3.1.3. Protocol-accessible Nodes 669 The "ietf-ssh-client" module defines only "grouping" statements that 670 are used by other modules to instantiate protocol-accessible nodes. 672 3.2. Example Usage 674 This section presents two examples showing the "ssh-client-grouping" 675 grouping populated with some data. These examples are effectively 676 the same except the first configures the client identity using a 677 local key while the second uses a key configured in a keystore. Both 678 examples are consistent with the examples presented in Section 2 of 679 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 680 [I-D.ietf-netconf-keystore]. 682 The following configuration example uses local-definitions for the 683 client identity and server authentication: 685 =============== NOTE: '\' line wrapping per RFC 8792 ================ 687 688 690 695 696 697 foobar 698 699 700 ct:ssh-public-key-format 702 base64encodedvalue== 703 ct:rsa-private-key-format 705 base64encodedvalue== 707 708 709 711 712 713 714 715 716 corp-fw1 717 ct:ssh-public-key-format 719 base64encodedvalue== 720 721 722 corp-fw2 723 ct:ssh-public-key-format 725 base64encodedvalue== 726 727 728 729 730 731 732 Server Cert Issuer #1 733 base64encodedvalue== 734 735 736 Server Cert Issuer #2 737 base64encodedvalue== 738 739 740 741 742 743 744 My Application #1 745 base64encodedvalue== 746 747 748 My Application #2 749 base64encodedvalue== 751 752 753 754 756 757 30 758 3 759 761 763 The following configuration example uses keystore-references for the 764 client identity and truststore-references for server authentication: 765 from the keystore: 767 =============== NOTE: '\' line wrapping per RFC 8792 ================ 769 770 772 776 777 778 foobar 779 784 785 786 ssh-rsa-key-with-cert 787 ex-rsa-cert2 788 789 790 792 793 794 795 trusted-ssh-public-keys 797 798 799 trusted-server-ca-certs 801 802 803 trusted-server-ee-certs 805 806 808 809 30 810 3 811 813 815 3.3. YANG Module 817 This YANG module has normative references to 818 [I-D.ietf-netconf-trust-anchors], and [I-D.ietf-netconf-keystore]. 820 file "ietf-ssh-client@2021-06-18.yang" 822 module ietf-ssh-client { 823 yang-version 1.1; 824 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client"; 825 prefix sshc; 827 import ietf-netconf-acm { 828 prefix nacm; 829 reference 830 "RFC 8341: Network Configuration Access Control Model"; 831 } 833 import ietf-crypto-types { 834 prefix ct; 835 reference 836 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 837 } 839 import ietf-truststore { 840 prefix ts; 841 reference 842 "RFC BBBB: A YANG Data Model for a Truststore"; 843 } 845 import ietf-keystore { 846 prefix ks; 847 reference 848 "RFC CCCC: A YANG Data Model for a Keystore"; 849 } 851 import ietf-ssh-common { 852 prefix sshcmn; 853 revision-date 2021-06-18; // stable grouping definitions 854 reference 855 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 856 } 858 organization 859 "IETF NETCONF (Network Configuration) Working Group"; 861 contact 862 "WG Web: 863 WG List: 864 Author: Kent Watsen 865 Author: Gary Wu "; 867 description 868 "This module defines reusable groupings for SSH clients that 869 can be used as a basis for specific SSH client instances. 871 Copyright (c) 2021 IETF Trust and the persons identified 872 as authors of the code. All rights reserved. 874 Redistribution and use in source and binary forms, with 875 or without modification, is permitted pursuant to, and 876 subject to the license terms contained in, the Simplified 877 BSD License set forth in Section 4.c of the IETF Trust's 878 Legal Provisions Relating to IETF Documents 879 (https://trustee.ietf.org/license-info). 881 This version of this YANG module is part of RFC EEEE 882 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 883 itself for full legal notices. 885 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 886 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 887 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 888 are to be interpreted as described in BCP 14 (RFC 2119) 889 (RFC 8174) when, and only when, they appear in all 890 capitals, as shown here."; 892 revision 2021-06-18 { 893 description 894 "Initial version"; 895 reference 896 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 897 } 899 // Features 901 feature ssh-client-keepalives { 902 description 903 "Per socket SSH keepalive parameters are configurable for 904 SSH clients on the server implementing this feature."; 905 } 907 feature client-ident-publickey { 908 description 909 "Indicates that the 'publickey' authentication type, per 910 RFC 4252, is supported for client identification. 912 The 'publickey' authentication type is required by 913 RFC 4252, but common implementations enable it to 914 be disabled."; 915 reference 916 "RFC 4252: 917 The Secure Shell (SSH) Authentication Protocol"; 918 } 920 feature client-ident-password { 921 description 922 "Indicates that the 'password' authentication type, per 923 RFC 4252, is supported for client identification."; 924 reference 925 "RFC 4252: 926 The Secure Shell (SSH) Authentication Protocol"; 927 } 929 feature client-ident-hostbased { 930 description 931 "Indicates that the 'hostbased' authentication type, per 932 RFC 4252, is supported for client identification."; 933 reference 934 "RFC 4252: 935 The Secure Shell (SSH) Authentication Protocol"; 936 } 938 feature client-ident-none { 939 description 940 "Indicates that the 'none' authentication type, per 941 RFC 4252, is supported for client identification."; 942 reference 943 "RFC 4252: 944 The Secure Shell (SSH) Authentication Protocol"; 945 } 947 // Groupings 949 grouping ssh-client-grouping { 950 description 951 "A reusable grouping for configuring a SSH client without 952 any consideration for how an underlying TCP session is 953 established. 955 Note that this grouping uses fairly typical descendant 956 node names such that a stack of 'uses' statements will 957 have name conflicts. It is intended that the consuming 958 data model will resolve the issue (e.g., by wrapping 959 the 'uses' statement in a container called 960 'ssh-client-parameters'). This model purposely does 961 not do this itself so as to provide maximum flexibility 962 to consuming models."; 964 container client-identity { 965 nacm:default-deny-write; 966 description 967 "The username and authentication methods for the client. 968 The authentication methods are unordered. Clients may 969 initially send any configured method or, per RFC 4252, 970 Section 5.2, send the 'none' method to prompt the server 971 to provide a list of productive methods. Whenever a 972 choice amongst methods arises, implementations SHOULD 973 use a default ordering that prioritizes automation 974 over human-interaction."; 975 leaf username { 976 type string; 977 description 978 "The username of this user. This will be the username 979 used, for instance, to log into an SSH server."; 980 } 981 container public-key { 982 if-feature "client-ident-publickey"; 983 presence 984 "Indicates that publickey-based authentication has been 985 configured. This statement is present so the mandatory 986 descendent nodes do not imply that this node must be 987 configured."; 988 description 989 "A locally-defined or referenced asymmetric key 990 pair to be used for client identification."; 991 reference 992 "RFC CCCC: A YANG Data Model for a Keystore"; 993 uses ks:local-or-keystore-asymmetric-key-grouping { 994 refine "local-or-keystore/local/local-definition" { 995 must 'public-key-format = "ct:ssh-public-key-format"'; 996 } 997 refine "local-or-keystore/keystore/keystore-reference" { 998 must 'deref(.)/../ks:public-key-format' 999 + ' = "ct:ssh-public-key-format"'; 1000 } 1001 } 1002 } 1003 container password { 1004 if-feature "client-ident-password"; 1005 presence 1006 "Indicates that password-based authentication has been 1007 configured. This statement is present so the mandatory 1008 descendent nodes do not imply that this node must be 1009 configured."; 1010 description 1011 "A password to be used to authenticate the client's 1012 identity."; 1013 uses ct:password-grouping; 1014 } 1015 container hostbased { 1016 if-feature "client-ident-hostbased"; 1017 presence 1018 "Indicates that hostbased authentication is configured. 1019 This statement is present so the mandatory descendent 1020 nodes do not imply that this node must be configured."; 1021 description 1022 "A locally-defined or referenced asymmetric key 1023 pair to be used for host identification."; 1024 reference 1025 "RFC CCCC: A YANG Data Model for a Keystore"; 1026 uses ks:local-or-keystore-asymmetric-key-grouping { 1027 refine "local-or-keystore/local/local-definition" { 1028 must 'public-key-format = "ct:ssh-public-key-format"'; 1029 } 1030 refine "local-or-keystore/keystore/keystore-reference" { 1031 must 'deref(.)/../ks:public-key-format' 1032 + ' = "ct:ssh-public-key-format"'; 1033 } 1034 } 1035 } 1036 leaf none { 1037 if-feature "client-ident-none"; 1038 type empty; 1039 description 1040 "Indicates that 'none' algorithm is used for client 1041 identification."; 1042 } 1043 container certificate { 1044 if-feature "sshcmn:ssh-x509-certs"; 1045 presence 1046 "Indicates that certificate-based authentication has been 1047 configured. This statement is present so the mandatory 1048 descendant nodes do not imply that this node must be 1049 configured."; 1050 description 1051 "A locally-defined or referenced certificate 1052 to be used for client identification."; 1053 reference 1054 "RFC CCCC: A YANG Data Model for a Keystore"; 1055 uses ks:local-or-keystore-end-entity-cert-with-key-grouping { 1056 refine "local-or-keystore/local/local-definition" { 1057 must 'public-key-format' 1058 + ' = "ct:subject-public-key-info-format"'; 1059 } 1060 refine "local-or-keystore/keystore/keystore-reference" 1061 + "/asymmetric-key" { 1062 must 'deref(.)/../ks:public-key-format' 1063 + ' = "ct:subject-public-key-info-format"'; 1064 } 1065 } 1066 } 1067 } // container client-identity 1069 container server-authentication { 1070 nacm:default-deny-write; 1071 must 'ssh-host-keys or ca-certs or ee-certs'; 1072 description 1073 "Specifies how the SSH client can authenticate SSH servers. 1074 Any combination of authentication methods is additive and 1075 unordered."; 1076 container ssh-host-keys { 1077 presence 1078 "Indicates that the SSH host key have been configured. 1079 This statement is present so the mandatory descendant 1080 nodes do not imply that this node must be configured."; 1081 description 1082 "A bag of SSH host keys used by the SSH client to 1083 authenticate SSH server host keys. A server host key 1084 is authenticated if it is an exact match to a 1085 configured SSH host key."; 1086 reference 1087 "RFC BBBB: A YANG Data Model for a Truststore"; 1088 uses ts:local-or-truststore-public-keys-grouping { 1089 refine 1090 "local-or-truststore/local/local-definition/public-key" { 1091 must 'public-key-format = "ct:ssh-public-key-format"'; 1092 } 1093 refine 1094 "local-or-truststore/truststore/truststore-reference" { 1095 must 'deref(.)/../*/ts:public-key-format' 1096 + ' = "ct:ssh-public-key-format"'; 1097 } 1098 } 1099 } 1100 container ca-certs { 1101 if-feature "sshcmn:ssh-x509-certs"; 1102 presence 1103 "Indicates that the CA certificates have been configured. 1105 This statement is present so the mandatory descendant 1106 nodes do not imply that this node must be configured."; 1107 description 1108 "A set of certificate authority (CA) certificates used by 1109 the SSH client to authenticate SSH servers. A server 1110 is authenticated if its certificate has a valid chain 1111 of trust to a configured CA certificate."; 1112 reference 1113 "RFC BBBB: A YANG Data Model for a Truststore"; 1114 uses ts:local-or-truststore-certs-grouping; 1115 } 1116 container ee-certs { 1117 if-feature "sshcmn:ssh-x509-certs"; 1118 presence 1119 "Indicates that the EE certificates have been configured. 1120 This statement is present so the mandatory descendant 1121 nodes do not imply that this node must be configured."; 1122 description 1123 "A set of end-entity certificates used by the SSH client 1124 to authenticate SSH servers. A server is authenticated 1125 if its certificate is an exact match to a configured 1126 end-entity certificate."; 1127 reference 1128 "RFC BBBB: A YANG Data Model for a Truststore"; 1129 uses ts:local-or-truststore-certs-grouping; 1130 } 1131 } // container server-authentication 1133 container transport-params { 1134 nacm:default-deny-write; 1135 if-feature "sshcmn:transport-params"; 1136 description 1137 "Configurable parameters of the SSH transport layer."; 1138 uses sshcmn:transport-params-grouping; 1139 } // container transport-parameters 1141 container keepalives { 1142 nacm:default-deny-write; 1143 if-feature "ssh-client-keepalives"; 1144 presence 1145 "Indicates that the SSH client proactively tests the 1146 aliveness of the remote SSH server."; 1147 description 1148 "Configures the keep-alive policy, to proactively test 1149 the aliveness of the SSH server. An unresponsive TLS 1150 server is dropped after approximately max-wait * 1151 max-attempts seconds. Per Section 4 of RFC 4254, 1152 the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST 1153 message with a purposely nonexistent 'request name' 1154 value (e.g., keepalive@ietf.org) and the 'want reply' 1155 value set to '1'."; 1156 reference 1157 "RFC 4254: The Secure Shell (SSH) Connection Protocol"; 1158 leaf max-wait { 1159 type uint16 { 1160 range "1..max"; 1161 } 1162 units "seconds"; 1163 default "30"; 1164 description 1165 "Sets the amount of time in seconds after which if 1166 no data has been received from the SSH server, a 1167 TLS-level message will be sent to test the 1168 aliveness of the SSH server."; 1169 } 1170 leaf max-attempts { 1171 type uint8; 1172 default "3"; 1173 description 1174 "Sets the maximum number of sequential keep-alive 1175 messages that can fail to obtain a response from 1176 the SSH server before assuming the SSH server is 1177 no longer alive."; 1178 } 1179 } // container keepalives 1180 } // grouping ssh-client-grouping 1182 } 1184 1186 4. The "ietf-ssh-server" Module 1188 This section defines a YANG 1.1 module called "ietf-ssh-server". A 1189 high-level overview of the module is provided in Section 4.1. 1190 Examples illustrating the module's use are provided in Examples 1191 (Section 4.2). The YANG module itself is defined in Section 4.3. 1193 4.1. Data Model Overview 1195 This section provides an overview of the "ietf-ssh-server" module in 1196 terms of its features and groupings. 1198 4.1.1. Features 1200 The following diagram lists all the "feature" statements defined in 1201 the "ietf-ssh-server" module: 1203 Features: 1204 +-- ssh-server-keepalives 1205 +-- local-users-supported 1206 +-- local-user-auth-publickey {local-users-supported}? 1207 +-- local-user-auth-password {local-users-supported}? 1208 +-- local-user-auth-hostbased {local-users-supported}? 1209 +-- local-user-auth-none {local-users-supported}? 1211 | The diagram above uses syntax that is similar to but not 1212 | defined in [RFC8340]. 1214 4.1.2. Groupings 1216 The "ietf-ssh-server" module defines the following "grouping" 1217 statement: 1219 * ssh-server-grouping 1221 This grouping is presented in the following subsection. 1223 4.1.2.1. The "ssh-server-grouping" Grouping 1225 The following tree diagram [RFC8340] illustrates the "ssh-server- 1226 grouping" grouping: 1228 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1230 grouping ssh-server-grouping 1231 +-- server-identity 1232 | +-- host-key* [name] 1233 | +-- name? string 1234 | +-- (host-key-type) 1235 | +--:(public-key) 1236 | | +-- public-key 1237 | | +---u ks:local-or-keystore-asymmetric-key-grouping 1238 | +--:(certificate) 1239 | +-- certificate {sshcmn:ssh-x509-certs}? 1240 | +---u ks:local-or-keystore-end-entity-cert-with-k\ 1241 ey-grouping 1242 +-- client-authentication 1243 | +-- users {local-users-supported}? 1244 | | +-- user* [name] 1245 | | +-- name? string 1246 | | +-- public-keys! {local-user-auth-publickey}? 1247 | | | +---u ts:local-or-truststore-public-keys-grouping 1248 | | +-- password? ianach:crypt-hash 1249 | | | {local-user-auth-password}? 1250 | | +-- hostbased! {local-user-auth-hostbased}? 1251 | | | +---u ts:local-or-truststore-public-keys-grouping 1252 | | +-- none? empty {local-user-auth-none}? 1253 | +-- ca-certs! {sshcmn:ssh-x509-certs}? 1254 | | +---u ts:local-or-truststore-certs-grouping 1255 | +-- ee-certs! {sshcmn:ssh-x509-certs}? 1256 | +---u ts:local-or-truststore-certs-grouping 1257 +-- transport-params {sshcmn:transport-params}? 1258 | +---u sshcmn:transport-params-grouping 1259 +-- keepalives! {ssh-server-keepalives}? 1260 +-- max-wait? uint16 1261 +-- max-attempts? uint8 1263 Comments: 1265 * The "server-identity" node configures the authentication methods 1266 the server can use to identify itself to clients. The ability to 1267 use a certificate is enabled by a "feature". 1269 * The "client-authentication" node configures trust anchors for 1270 authenticating the SSH client, with each option enabled by a 1271 "feature" statement. 1273 * The "transport-params" node, which must be enabled by a feature, 1274 configures parameters for the SSH sessions established by this 1275 configuration. 1277 * The "keepalives" node, which must be enabled by a feature, 1278 configures a "presence" container for testing the aliveness of the 1279 SSH client. The aliveness-test occurs at the SSH protocol layer. 1281 * For the referenced grouping statement(s): 1283 - The "local-or-keystore-asymmetric-key-grouping" grouping is 1284 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 1285 - The "local-or-keystore-end-entity-cert-with-key-grouping" 1286 grouping is discussed in Section 2.1.3.6 of 1287 [I-D.ietf-netconf-keystore]. 1288 - The "local-or-truststore-public-keys-grouping" grouping is 1289 discussed in Section 2.1.3.2 of 1290 [I-D.ietf-netconf-trust-anchors]. 1291 - The "local-or-truststore-certs-grouping" grouping is discussed 1292 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 1293 - The "transport-params-grouping" grouping is discussed in 1294 Section 2.1.2.1 in this document. 1296 4.1.3. Protocol-accessible Nodes 1298 The "ietf-ssh-server" module defines only "grouping" statements that 1299 are used by other modules to instantiate protocol-accessible nodes. 1301 4.2. Example Usage 1303 This section presents two examples showing the "ssh-server-grouping" 1304 grouping populated with some data. These examples are effectively 1305 the same except the first configures the server identity using a 1306 local key while the second uses a key configured in a keystore. Both 1307 examples are consistent with the examples presented in Section 2 of 1308 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 1309 [I-D.ietf-netconf-keystore]. 1311 The following configuration example uses local-definitions for the 1312 server identity and client authentication: 1314 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1316 1317 1319 1324 1325 1326 1327 my-pubkey-based-host-key 1328 1329 1330 ct:ssh-public-key-format 1332 base64encodedvalue== 1333 ct:rsa-private-key-format 1335 base64encodedvalue== 1337 1338 1339 1340 1341 my-cert-based-host-key 1342 1343 1344 ct:subject-public-key-info-format 1346 base64encodedvalue== 1347 ct:rsa-private-key-format 1349 base64encodedvalue== 1351 base64encodedvalue== 1352 1353 1354 1355 1357 1358 1359 1360 1361 mary 1362 $0$secret 1363 1364 1365 1366 User A 1367 ct:ssh-public-key-format 1369 base64encodedvalue== 1370 1371 1372 User B 1373 ct:ssh-public-key-format 1375 base64encodedvalue== 1376 1377 1378 1379 1380 1381 1382 1383 1384 Identity Cert Issuer #1 1385 base64encodedvalue== 1386 1387 1388 Identity Cert Issuer #2 1389 base64encodedvalue== 1390 1391 1392 1393 1394 1395 1396 Application #1 1397 base64encodedvalue== 1398 1399 1400 Application #2 1401 base64encodedvalue== 1402 1403 1404 1405 1407 1408 30 1409 3 1410 1412 1414 The following configuration example uses keystore-references for the 1415 server identity and truststore-references for client authentication: 1416 from the keystore: 1418 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1420 1421 1423 1427 1428 1429 1430 my-pubkey-based-host-key 1431 1432 ssh-rsa-key 1433 1434 1435 1436 my-cert-based-host-key 1437 1438 1439 ssh-rsa-key-with-cert 1440 ex-rsa-cert2 1441 1442 1443 1444 1446 1447 1448 1449 1450 mary 1451 $0$secret 1452 1453 SSH Public Keys for Application A 1455 1456 1457 1458 1459 trusted-client-ca-certs 1461 1462 1463 trusted-client-ee-certs 1465 1467 1469 1470 30 1471 3 1472 1474 1476 4.3. YANG Module 1478 This YANG module has normative references to 1479 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore] and 1480 informative references to [RFC4253] and [RFC7317]. 1482 file "ietf-ssh-server@2021-06-18.yang" 1484 module ietf-ssh-server { 1485 yang-version 1.1; 1486 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; 1487 prefix sshs; 1489 import iana-crypt-hash { 1490 prefix ianach; 1491 reference 1492 "RFC 7317: A YANG Data Model for System Management"; 1493 } 1495 import ietf-netconf-acm { 1496 prefix nacm; 1497 reference 1498 "RFC 8341: Network Configuration Access Control Model"; 1499 } 1501 import ietf-crypto-types { 1502 prefix ct; 1503 reference 1504 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 1505 } 1507 import ietf-truststore { 1508 prefix ts; 1509 reference 1510 "RFC BBBB: A YANG Data Model for a Truststore"; 1511 } 1513 import ietf-keystore { 1514 prefix ks; 1515 reference 1516 "RFC CCCC: A YANG Data Model for a Keystore"; 1517 } 1519 import ietf-ssh-common { 1520 prefix sshcmn; 1521 revision-date 2021-06-18; // stable grouping definitions 1522 reference 1523 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 1524 } 1526 organization 1527 "IETF NETCONF (Network Configuration) Working Group"; 1529 contact 1530 "WG Web: 1531 WG List: 1532 Author: Kent Watsen 1533 Author: Gary Wu "; 1535 description 1536 "This module defines reusable groupings for SSH servers that 1537 can be used as a basis for specific SSH server instances. 1539 Copyright (c) 2021 IETF Trust and the persons identified 1540 as authors of the code. All rights reserved. 1542 Redistribution and use in source and binary forms, with 1543 or without modification, is permitted pursuant to, and 1544 subject to the license terms contained in, the Simplified 1545 BSD License set forth in Section 4.c of the IETF Trust's 1546 Legal Provisions Relating to IETF Documents 1547 (https://trustee.ietf.org/license-info). 1549 This version of this YANG module is part of RFC EEEE 1550 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 1551 itself for full legal notices. 1553 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1554 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1555 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1556 are to be interpreted as described in BCP 14 (RFC 2119) 1557 (RFC 8174) when, and only when, they appear in all 1558 capitals, as shown here."; 1560 revision 2021-06-18 { 1561 description 1562 "Initial version"; 1564 reference 1565 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 1566 } 1568 // Features 1570 feature ssh-server-keepalives { 1571 description 1572 "Per socket SSH keepalive parameters are configurable for 1573 SSH servers on the server implementing this feature."; 1574 } 1576 feature local-users-supported { 1577 description 1578 "Indicates that the configuration for users can be 1579 configured herein, as opposed to in an application 1580 specific location."; 1581 } 1583 feature local-user-auth-publickey { 1584 if-feature "local-users-supported"; 1585 description 1586 "Indicates that the 'publickey' authentication type, 1587 per RFC 4252, is supported for locally-defined users. 1589 The 'publickey' authentication type is required by 1590 RFC 4252, but common implementations enable it to 1591 be disabled."; 1592 reference 1593 "RFC 4252: 1594 The Secure Shell (SSH) Authentication Protocol"; 1595 } 1597 feature local-user-auth-password { 1598 if-feature "local-users-supported"; 1599 description 1600 "Indicates that the 'password' authentication type, 1601 per RFC 4252, is supported for locally-defined users."; 1602 reference 1603 "RFC 4252: 1604 The Secure Shell (SSH) Authentication Protocol"; 1605 } 1607 feature local-user-auth-hostbased { 1608 if-feature "local-users-supported"; 1609 description 1610 "Indicates that the 'hostbased' authentication type, 1611 per RFC 4252, is supported for locally-defined users."; 1613 reference 1614 "RFC 4252: 1615 The Secure Shell (SSH) Authentication Protocol"; 1616 } 1618 feature local-user-auth-none { 1619 if-feature "local-users-supported"; 1620 description 1621 "Indicates that the 'none' authentication type, per 1622 RFC 4252, is supported. It is NOT RECOMMENDED to 1623 enable this feature."; 1624 reference 1625 "RFC 4252: 1626 The Secure Shell (SSH) Authentication Protocol"; 1627 } 1629 // Groupings 1631 grouping ssh-server-grouping { 1632 description 1633 "A reusable grouping for configuring a SSH server without 1634 any consideration for how underlying TCP sessions are 1635 established. 1637 Note that this grouping uses fairly typical descendant 1638 node names such that a stack of 'uses' statements will 1639 have name conflicts. It is intended that the consuming 1640 data model will resolve the issue (e.g., by wrapping 1641 the 'uses' statement in a container called 1642 'ssh-server-parameters'). This model purposely does 1643 not do this itself so as to provide maximum flexibility 1644 to consuming models."; 1646 container server-identity { 1647 nacm:default-deny-write; 1648 description 1649 "The list of host keys the SSH server will present when 1650 establishing a SSH connection."; 1651 list host-key { 1652 key "name"; 1653 min-elements 1; 1654 ordered-by user; 1655 description 1656 "An ordered list of host keys the SSH server will use to 1657 construct its ordered list of algorithms, when sending 1658 its SSH_MSG_KEXINIT message, as defined in Section 7.1 1659 of RFC 4253."; 1660 reference 1661 "RFC 4253: The Secure Shell (SSH) Transport Layer 1662 Protocol"; 1663 leaf name { 1664 type string; 1665 description 1666 "An arbitrary name for this host key"; 1667 } 1668 choice host-key-type { 1669 mandatory true; 1670 description 1671 "The type of host key being specified"; 1672 container public-key { 1673 description 1674 "A locally-defined or referenced asymmetric key pair 1675 to be used for the SSH server's host key."; 1676 reference 1677 "RFC CCCC: A YANG Data Model for a Keystore"; 1678 uses ks:local-or-keystore-asymmetric-key-grouping { 1679 refine "local-or-keystore/local/local-definition" { 1680 must 1681 'public-key-format = "ct:ssh-public-key-format"'; 1682 } 1683 refine "local-or-keystore/keystore/" 1684 + "keystore-reference" { 1685 must 'deref(.)/../ks:public-key-format' 1686 + ' = "ct:ssh-public-key-format"'; 1687 } 1688 } 1689 } 1690 container certificate { 1691 if-feature "sshcmn:ssh-x509-certs"; 1692 description 1693 "A locally-defined or referenced end-entity 1694 certificate to be used for the SSH server's 1695 host key."; 1696 reference 1697 "RFC CCCC: A YANG Data Model for a Keystore"; 1698 uses 1699 ks:local-or-keystore-end-entity-cert-with-key-grouping { 1700 refine "local-or-keystore/local/local-definition" { 1701 must 'public-key-format' 1702 + ' = "ct:subject-public-key-info-format"'; 1703 } 1704 refine "local-or-keystore/keystore/keystore-reference" 1705 + "/asymmetric-key" { 1706 must 'deref(.)/../ks:public-key-format' 1707 + ' = "ct:subject-public-key-info-format"'; 1708 } 1710 } 1711 } 1712 } 1713 } 1714 } // container server-identity 1716 container client-authentication { 1717 nacm:default-deny-write; 1718 description 1719 "Specifies how the SSH server can authenticate SSH clients."; 1720 container users { 1721 if-feature "local-users-supported"; 1722 description 1723 "A list of locally configured users."; 1724 list user { 1725 key "name"; 1726 description 1727 "A locally configured user. 1729 The server SHOULD derive the list of authentication 1730 'method names' returned to the SSH client from the 1731 descendant nodes configured herein, per Sections 1732 5.1 and 5.2 in RFC 4252. 1734 The authentication methods are unordered. Clients 1735 must authenticate to all configured methods. 1736 Whenever a choice amongst methods arises, 1737 implementations SHOULD use a default ordering 1738 that prioritizes automation over human-interaction."; 1739 leaf name { 1740 type string; 1741 description 1742 "The 'user name' for the SSH client, as defined in 1743 the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; 1744 } 1745 container public-keys { 1746 if-feature "local-user-auth-publickey"; 1747 presence 1748 "Indicates that public keys have been configured. 1749 This statement is present so the mandatory descendant 1750 nodes do not imply that this node must be 1751 configured."; 1752 description 1753 "A set of SSH public keys may be used by the SSH 1754 server to authenticate this user. A user is 1755 authenticated if its public key is an exact 1756 match to a configured public key."; 1757 reference 1758 "RFC BBBB: A YANG Data Model for a Truststore"; 1759 uses ts:local-or-truststore-public-keys-grouping { 1760 refine "local-or-truststore/local/local-definition" 1761 + "/public-key" { 1762 must 'public-key-format' 1763 + ' = "ct:ssh-public-key-format"'; 1764 } 1765 refine "local-or-truststore/truststore/" 1766 + "truststore-reference" { 1767 must 'deref(.)/../*/ts:public-key-format' 1768 + ' = "ct:ssh-public-key-format"'; 1769 } 1770 } 1771 } 1772 leaf password { 1773 if-feature "local-user-auth-password"; 1774 type ianach:crypt-hash; 1775 description 1776 "The password for this user."; 1777 } 1778 container hostbased { 1779 if-feature "local-user-auth-hostbased"; 1780 presence 1781 "Indicates that hostbased keys have been configured. 1782 This statement is present so the mandatory descendant 1783 nodes do not imply that this node must be 1784 configured."; 1785 description 1786 "A set of SSH host keys used by the SSH server to 1787 authenticate this user's host. A user's host is 1788 authenticated if its host key is an exact match 1789 to a configured host key."; 1790 reference 1791 "RFC 4253: The Secure Shell (SSH) Transport Layer 1792 RFC BBBB: A YANG Data Model for a Truststore"; 1793 uses ts:local-or-truststore-public-keys-grouping { 1794 refine "local-or-truststore/local/local-definition" 1795 + "/public-key" { 1796 must 'public-key-format' 1797 + ' = "ct:ssh-public-key-format"'; 1798 } 1799 refine "local-or-truststore/truststore" 1800 + "/truststore-reference" { 1801 must 'deref(.)/../*/ts:public-key-format' 1802 + ' = "ct:ssh-public-key-format"'; 1803 } 1804 } 1805 } 1806 leaf none { 1807 if-feature "local-user-auth-none"; 1808 type empty; 1809 description 1810 "Indicates that the 'none' method is configured 1811 for this user."; 1812 reference 1813 "RFC 4252: The Secure Shell (SSH) Authentication 1814 Protocol."; 1815 } 1816 } 1817 } 1818 container ca-certs { 1819 if-feature "sshcmn:ssh-x509-certs"; 1820 presence 1821 "Indicates that CA certificates have been configured. 1822 This statement is present so the mandatory descendant 1823 nodes do not imply this node must be configured."; 1824 description 1825 "A set of certificate authority (CA) certificates used by 1826 the SSH server to authenticate SSH client certificates. 1827 A client certificate is authenticated if it has a valid 1828 chain of trust to a configured CA certificate."; 1829 reference 1830 "RFC BBBB: A YANG Data Model for a Truststore"; 1831 uses ts:local-or-truststore-certs-grouping; 1832 } 1833 container ee-certs { 1834 if-feature "sshcmn:ssh-x509-certs"; 1835 presence 1836 "Indicates that EE certificates have been configured. 1837 This statement is present so the mandatory descendant 1838 nodes do not imply this node must be configured."; 1839 description 1840 "A set of client certificates (i.e., end entity 1841 certificates) used by the SSH server to authenticate 1842 the certificates presented by SSH clients. A client 1843 certificate is authenticated if it is an exact match 1844 to a configured end-entity certificate."; 1845 reference 1846 "RFC BBBB: A YANG Data Model for a Truststore"; 1847 uses ts:local-or-truststore-certs-grouping; 1848 } 1849 } // container client-authentication 1851 container transport-params { 1852 nacm:default-deny-write; 1853 if-feature "sshcmn:transport-params"; 1854 description 1855 "Configurable parameters of the SSH transport layer."; 1856 uses sshcmn:transport-params-grouping; 1857 } // container transport-params 1859 container keepalives { 1860 nacm:default-deny-write; 1861 if-feature "ssh-server-keepalives"; 1862 presence 1863 "Indicates that the SSH server proactively tests the 1864 aliveness of the remote SSH client."; 1865 description 1866 "Configures the keep-alive policy, to proactively test 1867 the aliveness of the SSL client. An unresponsive SSL 1868 client is dropped after approximately max-wait * 1869 max-attempts seconds. Per Section 4 of RFC 4254, 1870 the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST 1871 message with a purposely nonexistent 'request name' 1872 value (e.g., keepalive@ietf.org) and the 'want reply' 1873 value set to '1'."; 1874 reference 1875 "RFC 4254: The Secure Shell (SSH) Connection Protocol"; 1876 leaf max-wait { 1877 type uint16 { 1878 range "1..max"; 1879 } 1880 units "seconds"; 1881 default "30"; 1882 description 1883 "Sets the amount of time in seconds after which 1884 if no data has been received from the SSL client, 1885 a SSL-level message will be sent to test the 1886 aliveness of the SSL client."; 1887 } 1888 leaf max-attempts { 1889 type uint8; 1890 default "3"; 1891 description 1892 "Sets the maximum number of sequential keep-alive 1893 messages that can fail to obtain a response from 1894 the SSL client before assuming the SSL client is 1895 no longer alive."; 1896 } 1897 } 1898 } // grouping ssh-server-grouping 1900 } 1901 1903 5. Security Considerations 1905 5.1. The "iana-ssh-key-exchange-algs" Module 1907 The "iana-ssh-key-exchange-algs" YANG module defines a data model 1908 that is designed to be accessed via YANG based management protocols, 1909 such as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these 1910 protocols have mandatory-to-implement secure transport layers (e.g., 1911 SSH, TLS) with mutual authentication. 1913 The NETCONF access control model (NACM) [RFC8341] provides the means 1914 to restrict access for particular users to a pre-configured subset of 1915 all available protocol operations and content. 1917 This YANG module defines YANG identities, for a public IANA- 1918 maintained registry, and a single protocol-accessible read-only node 1919 for the subset of those identities supported by a server. 1921 YANG identities are not security-sensitive, as they are statically 1922 defined in the publicly-accessible YANG module. 1924 The protocol-accessible read-only node for the algorithms supported 1925 by a server is mildly sensitive, but not to the extent that special 1926 NACM annotations are needed to prevent read-access to regular 1927 authenticated administrators. 1929 This module does not define any writable-nodes, RPCs, actions, or 1930 notifications, and thus the security consideration for such is not 1931 provided here. 1933 5.2. The "iana-ssh-encryption-algs" Module 1935 The "iana-ssh-encryption-algs" YANG module defines a data model that 1936 is designed to be accessed via YANG based management protocols, such 1937 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 1938 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 1939 with mutual authentication. 1941 The NETCONF access control model (NACM) [RFC8341] provides the means 1942 to restrict access for particular users to a pre-configured subset of 1943 all available protocol operations and content. 1945 This YANG module defines YANG identities, for a public IANA- 1946 maintained registry, and a single protocol-accessible read-only node 1947 for the subset of those identities supported by a server. 1949 YANG identities are not security-sensitive, as they are statically 1950 defined in the publicly-accessible YANG module. 1952 The protocol-accessible read-only node for the algorithms supported 1953 by a server is mildly sensitive, but not to the extent that special 1954 NACM annotations are needed to prevent read-access to regular 1955 authenticated administrators. 1957 This module does not define any writable-nodes, RPCs, actions, or 1958 notifications, and thus the security consideration for such is not 1959 provided here. 1961 5.3. The "iana-ssh-mac-algs" Module 1963 The "iana-ssh-mac-algs" YANG module defines a data model that is 1964 designed to be accessed via YANG based management protocols, such as 1965 NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 1966 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 1967 with mutual authentication. 1969 The NETCONF access control model (NACM) [RFC8341] provides the means 1970 to restrict access for particular users to a pre-configured subset of 1971 all available protocol operations and content. 1973 This YANG module defines YANG identities, for a public IANA- 1974 maintained registry, and a single protocol-accessible read-only node 1975 for the subset of those identities supported by a server. 1977 YANG identities are not security-sensitive, as they are statically 1978 defined in the publicly-accessible YANG module. 1980 The protocol-accessible read-only node for the algorithms supported 1981 by a server is mildly sensitive, but not to the extent that special 1982 NACM annotations are needed to prevent read-access to regular 1983 authenticated administrators. 1985 This module does not define any writable-nodes, RPCs, actions, or 1986 notifications, and thus the security consideration for such is not 1987 provided here. 1989 5.4. The "iana-ssh-public-key-algs" Module 1991 The "iana-ssh-public-key-algs" YANG module defines a data model that 1992 is designed to be accessed via YANG based management protocols, such 1993 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 1994 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 1995 with mutual authentication. 1997 The NETCONF access control model (NACM) [RFC8341] provides the means 1998 to restrict access for particular users to a pre-configured subset of 1999 all available protocol operations and content. 2001 This YANG module defines YANG identities, for a public IANA- 2002 maintained registry, and a single protocol-accessible read-only node 2003 for the subset of those identities supported by a server. 2005 YANG identities are not security-sensitive, as they are statically 2006 defined in the publicly-accessible YANG module. 2008 The protocol-accessible read-only node for the algorithms supported 2009 by a server is mildly sensitive, but not to the extent that special 2010 NACM annotations are needed to prevent read-access to regular 2011 authenticated administrators. 2013 This module does not define any writable-nodes, RPCs, actions, or 2014 notifications, and thus the security consideration for such is not 2015 provided here. 2017 5.5. The "ietf-ssh-common" YANG Module 2019 The "ietf-ssh-common" YANG module defines "grouping" statements that 2020 are designed to be accessed via YANG based management protocols, such 2021 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2022 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2023 with mutual authentication. 2025 The NETCONF access control model (NACM) [RFC8341] provides the means 2026 to restrict access for particular users to a pre-configured subset of 2027 all available protocol operations and content. 2029 Since the module in this document only define groupings, these 2030 considerations are primarily for the designers of other modules that 2031 use these groupings. 2033 None of the readable data nodes defined in this YANG module are 2034 considered sensitive or vulnerable in network environments. The NACM 2035 "default-deny-all" extension has not been set for any data nodes 2036 defined in this module. 2038 None of the writable data nodes defined in this YANG module are 2039 considered sensitive or vulnerable in network environments. The NACM 2040 "default-deny-write" extension has not been set for any data nodes 2041 defined in this module. 2043 This module does not define any RPCs, actions, or notifications, and 2044 thus the security consideration for such is not provided here. 2046 5.6. The "ietf-ssh-client" YANG Module 2048 The "ietf-ssh-client" YANG module defines "grouping" statements that 2049 are designed to be accessed via YANG based management protocols, such 2050 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2051 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2052 with mutual authentication. 2054 The NETCONF access control model (NACM) [RFC8341] provides the means 2055 to restrict access for particular users to a pre-configured subset of 2056 all available protocol operations and content. 2058 Since the module in this document only define groupings, these 2059 considerations are primarily for the designers of other modules that 2060 use these groupings. 2062 One readable data node defined in this YANG module may be considered 2063 sensitive or vulnerable in some network environments. This node is 2064 as follows: 2066 * The "client-identity/password" node: 2068 The cleartext "password" node defined in the "ssh-client- 2069 grouping" grouping is additionally sensitive to read operations 2070 such that, in normal use cases, it should never be returned to 2071 a client. For this reason, the NACM extension "default-deny- 2072 all" has been applied to it. 2074 | Please be aware that this module uses the "key" and "private- 2075 | key" nodes from the "ietf-crypto-types" module 2076 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2077 | extension "default-deny-all" set, thus preventing unrestricted 2078 | read-access to the cleartext key values. 2080 All of the writable data nodes defined by this module may be 2081 considered sensitive or vulnerable in some network environments. For 2082 instance, any modification to a key or reference to a key may 2083 dramatically alter the implemented security policy. For this reason, 2084 the NACM extension "default-deny-write" has been set for all data 2085 nodes defined in this module. 2087 This module does not define any RPCs, actions, or notifications, and 2088 thus the security consideration for such is not provided here. 2090 5.7. The "ietf-ssh-server" YANG Module 2092 The "ietf-ssh-server" YANG module defines "grouping" statements that 2093 are designed to be accessed via YANG based management protocols, such 2094 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2095 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2096 with mutual authentication. 2098 The NETCONF access control model (NACM) [RFC8341] provides the means 2099 to restrict access for particular users to a pre-configured subset of 2100 all available protocol operations and content. 2102 Since the module in this document only define groupings, these 2103 considerations are primarily for the designers of other modules that 2104 use these groupings. 2106 None of the readable data nodes defined in this YANG module are 2107 considered sensitive or vulnerable in network environments. The NACM 2108 "default-deny-all" extension has not been set for any data nodes 2109 defined in this module. 2111 | Please be aware that this module uses the "key" and "private- 2112 | key" nodes from the "ietf-crypto-types" module 2113 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2114 | extension "default-deny-all" set, thus preventing unrestricted 2115 | read-access to the cleartext key values. 2117 All of the writable data nodes defined by this module may be 2118 considered sensitive or vulnerable in some network environments. For 2119 instance, the addition or removal of references to keys, 2120 certificates, trusted anchors, etc., or even the modification of 2121 transport or keepalive parameters can dramatically alter the 2122 implemented security policy. For this reason, the NACM extension 2123 "default-deny-write" has been set for all data nodes defined in this 2124 module. 2126 This module does not define any RPCs, actions, or notifications, and 2127 thus the security consideration for such is not provided here. 2129 6. IANA Considerations 2131 6.1. The "IETF XML" Registry 2133 This document registers seven URIs in the "ns" subregistry of the 2134 IETF XML Registry [RFC3688]. Following the format in [RFC3688], the 2135 following registrations are requested: 2137 URI: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs 2138 Registrant Contact: IANA 2139 XML: N/A, the requested URI is an XML namespace. 2141 URI: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs 2142 Registrant Contact: IANA 2143 XML: N/A, the requested URI is an XML namespace. 2145 URI: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs 2146 Registrant Contact: IANA 2147 XML: N/A, the requested URI is an XML namespace. 2149 URI: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs 2150 Registrant Contact: IANA 2151 XML: N/A, the requested URI is an XML namespace. 2153 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-common 2154 Registrant Contact: The IESG 2155 XML: N/A, the requested URI is an XML namespace. 2157 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-client 2158 Registrant Contact: The IESG 2159 XML: N/A, the requested URI is an XML namespace. 2161 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-server 2162 Registrant Contact: The IESG 2163 XML: N/A, the requested URI is an XML namespace. 2165 6.2. The "YANG Module Names" Registry 2167 This document registers seven YANG modules in the YANG Module Names 2168 registry [RFC6020]. Following the format in [RFC6020], the following 2169 registrations are requested: 2171 name: iana-ssh-key-exchange-algs 2172 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs 2173 prefix: sshkea 2174 reference: RFC EEEE 2176 name: iana-ssh-encryption-algs 2177 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs 2178 prefix: sshea 2179 reference: RFC EEEE 2181 name: iana-ssh-mac-algs 2182 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs 2183 prefix: sshma 2184 reference: RFC EEEE 2186 name: iana-ssh-public-key-algs 2187 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs 2188 prefix: sshpka 2189 reference: RFC EEEE 2191 name: ietf-ssh-common 2192 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-common 2193 prefix: sshcmn 2194 reference: RFC EEEE 2196 name: ietf-ssh-client 2197 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-client 2198 prefix: sshc 2199 reference: RFC EEEE 2201 name: ietf-ssh-server 2202 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-server 2203 prefix: sshs 2204 reference: RFC EEEE 2206 6.3. The "iana-ssh-encryption-algs" Module 2208 IANA is requested to maintain a YANG module called "iana-ssh- 2209 encryption-algs" that shadows the "Encryption Algorithm Names" sub- 2210 registry of the "Secure Shell (SSH) Protocol Parameters" registry 2211 [IANA-ENC-ALGS]. 2213 This registry defines a YANG identity for each encryption algorithm, 2214 and a "base" identity from which all of the other identities are 2215 derived. 2217 An initial version of this module can be found in Appendix A.1 2218 * Please note that this module was created on June 1st, 2021, and 2219 that additional entries may have been added in the interim before 2220 this document's publication. If this is that case, IANA may 2221 either publish just an updated module containing the new entries, 2222 or publish the initial module as is immediately followed by a 2223 "revision" containing the additional algorithm names. 2225 6.4. The "iana-ssh-mac-algs" Module 2227 IANA is requested to maintain a YANG module called "iana-ssh-mac- 2228 algs" that shadows the "MAC Algorithm Names" sub-registry of the 2229 "Secure Shell (SSH) Protocol Parameters" registry [IANA-MAC-ALGS]. 2231 This registry defines a YANG identity for each MAC algorithm, and a 2232 "base" identity from which all of the other identities are derived. 2234 An initial version of this module can be found in Appendix A.2. 2236 * Please note that this module was created on June 1st, 2021, and 2237 that additional entries may have been added in the interim before 2238 this document's publication. If this is that case, IANA may 2239 either publish just an updated module containing the new entries, 2240 or publish the initial module as is immediately followed by a 2241 "revision" containing the additional algorithm names. 2243 6.5. The "iana-ssh-public-key-algs" Module 2245 IANA is requested to maintain a YANG module called "iana-ssh-public- 2246 key-algs" that shadows the "Public Key Algorithm Names" sub-registry 2247 of the "Secure Shell (SSH) Protocol Parameters" registry 2248 [IANA-PUBKEY-ALGS]. 2250 This registry defines a YANG identity for each public key algorithm, 2251 and a "base" identity from which all of the other identities are 2252 derived. 2254 Registry entries for which the '*All values beginning with the 2255 specified string and not containing "@".' note applies MUST be 2256 expanded so that there is a distinct YANG identity for each 2257 enumeration. 2259 An initial version of this module can be found in Appendix A.3. 2261 * Please note that this module was created on June 1st, 2021, and 2262 that additional entries may have been added in the interim before 2263 this document's publication. If this is that case, IANA may 2264 either publish just an updated module containing the new entries, 2265 or publish the initial module as is immediately followed by a 2266 "revision" containing the additional algorithm names. 2268 6.6. The "iana-ssh-key-exchange-algs" Module 2270 IANA is requested to maintain a YANG module called "iana-ssh-key- 2271 exchange-algs" that shadows the "Key Exchange Method Names" sub- 2272 registry of the "Secure Shell (SSH) Protocol Parameters" registry 2273 [IANA-KEYEX-ALGS]. 2275 This registry defines a YANG identity for each key exchange 2276 algortihm, and a "base" identity from which all of the other 2277 identities are derived. 2279 Registry entries for which the '*All values beginning with the 2280 specified string and not containing "@".' note applies MUST be 2281 expanded so that there is a distinct YANG identity for each 2282 enumeration. 2284 An initial version of this module can be found in Appendix A.4. 2286 * Please note that this module was created on June 1st, 2021, and 2287 that additional entries may have been added in the interim before 2288 this document's publication. If this is that case, IANA may 2289 either publish just an updated module containing the new entries, 2290 or publish the initial module as is immediately followed by a 2291 "revision" containing the additional algorithm names. 2293 * Please also note that the "status" statement has been set to 2294 "deprecated" https://datatracker.ietf.org/doc/html/ 2295 rfc8732#section-6. It is recommended that IANA adds a column to 2296 the registry to more easily track the deprecation status of 2297 algorithms. 2299 7. References 2301 7.1. Normative References 2303 [I-D.ietf-netconf-crypto-types] 2304 Watsen, K., "YANG Data Types and Groupings for 2305 Cryptography", Work in Progress, Internet-Draft, draft- 2306 ietf-netconf-crypto-types-19, 10 February 2021, 2307 . 2310 [I-D.ietf-netconf-keystore] 2311 Watsen, K., "A YANG Data Model for a Keystore", Work in 2312 Progress, Internet-Draft, draft-ietf-netconf-keystore-21, 2313 10 February 2021, . 2316 [I-D.ietf-netconf-trust-anchors] 2317 Watsen, K., "A YANG Data Model for a Truststore", Work in 2318 Progress, Internet-Draft, draft-ietf-netconf-trust- 2319 anchors-14, 10 February 2021, 2320 . 2323 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2324 Requirement Levels", BCP 14, RFC 2119, 2325 DOI 10.17487/RFC2119, March 1997, 2326 . 2328 [RFC4344] Bellare, M., Kohno, T., and C. Namprempre, "The Secure 2329 Shell (SSH) Transport Layer Encryption Modes", RFC 4344, 2330 DOI 10.17487/RFC4344, January 2006, 2331 . 2333 [RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman 2334 Group Exchange for the Secure Shell (SSH) Transport Layer 2335 Protocol", RFC 4419, DOI 10.17487/RFC4419, March 2006, 2336 . 2338 [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm 2339 Integration in the Secure Shell Transport Layer", 2340 RFC 5656, DOI 10.17487/RFC5656, December 2009, 2341 . 2343 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2344 the Network Configuration Protocol (NETCONF)", RFC 6020, 2345 DOI 10.17487/RFC6020, October 2010, 2346 . 2348 [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure 2349 Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, 2350 March 2011, . 2352 [RFC6668] Bider, D. and M. Baushke, "SHA-2 Data Integrity 2353 Verification for the Secure Shell (SSH) Transport Layer 2354 Protocol", RFC 6668, DOI 10.17487/RFC6668, July 2012, 2355 . 2357 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2358 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2359 . 2361 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2362 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2363 May 2017, . 2365 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2366 Access Control Model", STD 91, RFC 8341, 2367 DOI 10.17487/RFC8341, March 2018, 2368 . 2370 7.2. Informative References 2372 [I-D.ietf-netconf-http-client-server] 2373 Watsen, K., "YANG Groupings for HTTP Clients and HTTP 2374 Servers", Work in Progress, Internet-Draft, draft-ietf- 2375 netconf-http-client-server-07, 18 May 2021, 2376 . 2379 [I-D.ietf-netconf-netconf-client-server] 2380 Watsen, K., "NETCONF Client and Server Models", Work in 2381 Progress, Internet-Draft, draft-ietf-netconf-netconf- 2382 client-server-23, 18 May 2021, 2383 . 2386 [I-D.ietf-netconf-restconf-client-server] 2387 Watsen, K., "RESTCONF Client and Server Models", Work in 2388 Progress, Internet-Draft, draft-ietf-netconf-restconf- 2389 client-server-23, 18 May 2021, 2390 . 2393 [I-D.ietf-netconf-ssh-client-server] 2394 Watsen, K., "YANG Groupings for SSH Clients and SSH 2395 Servers", Work in Progress, Internet-Draft, draft-ietf- 2396 netconf-ssh-client-server-24, 18 May 2021, 2397 . 2400 [I-D.ietf-netconf-tcp-client-server] 2401 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients 2402 and TCP Servers", Work in Progress, Internet-Draft, draft- 2403 ietf-netconf-tcp-client-server-10, 18 May 2021, 2404 . 2407 [I-D.ietf-netconf-tls-client-server] 2408 Watsen, K., "YANG Groupings for TLS Clients and TLS 2409 Servers", Work in Progress, Internet-Draft, draft-ietf- 2410 netconf-tls-client-server-24, 18 May 2021, 2411 . 2414 [IANA-ENC-ALGS] 2415 (IANA), I. A. N. A., "IANA "Encryption Algorithm Names" 2416 Sub-registry of the "Secure Shell (SSH) Protocol 2417 Parameters" Registry", . 2420 [IANA-KEYEX-ALGS] 2421 (IANA), I. A. N. A., "IANA "Key Exchange Method Names" 2422 Sub-registry of the "Secure Shell (SSH) Protocol 2423 Parameters" Registry", . 2426 [IANA-MAC-ALGS] 2427 (IANA), I. A. N. A., "IANA "MAC Algorithm Names" Sub- 2428 registry of the "Secure Shell (SSH) Protocol Parameters" 2429 Registry", . 2432 [IANA-PUBKEY-ALGS] 2433 (IANA), I. A. N. A., "IANA "Public Key Algorithm Names" 2434 Sub-registry of the "Secure Shell (SSH) Protocol 2435 Parameters" Registry", . 2438 [OPENSSH] Project, T. O., "OpenSSH", . 2440 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2441 DOI 10.17487/RFC3688, January 2004, 2442 . 2444 [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 2445 Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, 2446 January 2006, . 2448 [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 2449 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, 2450 January 2006, . 2452 [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 2453 Connection Protocol", RFC 4254, DOI 10.17487/RFC4254, 2454 January 2006, . 2456 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2457 and A. Bierman, Ed., "Network Configuration Protocol 2458 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2459 . 2461 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2462 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2463 . 2465 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 2466 System Management", RFC 7317, DOI 10.17487/RFC7317, August 2467 2014, . 2469 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2470 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2471 . 2473 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", 2474 RFC 8071, DOI 10.17487/RFC8071, February 2017, 2475 . 2477 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2478 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2479 . 2481 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 2482 and R. Wilton, "Network Management Datastore Architecture 2483 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 2484 . 2486 Appendix A. YANG Modules for IANA 2488 The modules contained in this section were generated by scripts using 2489 the contents of the associated sub-registry as they existed on June 2490 1st, 2021. 2492 A.1. Initial Module for the "Encryption Algorithm Names" Registry 2493 A.1.1. Data Model Overview 2495 This section provides an overview of the "iana-ssh-encryption-algs" 2496 module in terms of its identities and protocol-accessible nodes. 2498 A.1.1.1. Identities 2500 The following diagram lists the base "identity" statements defined in 2501 the module, of which there is just one, and illustrates that all the 2502 derived identity statements are generated from the associated IANA- 2503 maintained registry [IANA-ENC-ALGS]. 2505 Identities: 2506 +-- encryption-alg-base 2507 +-- 2509 | The diagram above uses syntax that is similar to but not 2510 | defined in [RFC8340]. 2512 A.1.1.2. Protocol-accessible Nodes 2514 The following tree diagram [RFC8340] lists all the protocol- 2515 accessible nodes defined in the "iana-ssh-encryption-alg" module: 2517 module: iana-ssh-encryption-algs 2518 +--ro supported-algorithms 2519 +--ro supported-algorithm* identityref 2521 Comments: 2523 * Protocol-accessible nodes are those nodes that are accessible when 2524 the module is "implemented", as described in Section 5.6.5 of 2525 [RFC7950]. 2527 A.1.2. Example Usage 2529 The following example illustrates operational state data indicating 2530 the SSH encryption algorithms supported by the server: 2532 2535 sshea:aes256-ctr 2536 sshea:aes256-cbc 2537 sshea:twofish256-cbc 2538 sshea:serpent256-cbc 2539 sshea:arcfour256 2540 sshea:serpent256-ctr 2541 sshea:aead-aes-256-gcm 2542 2544 A.1.3. YANG Module 2546 Following are the complete contents to the initial IANA-maintained 2547 YANG module. Please note that the date "2021-06-01" reflects the day 2548 on which the extraction occurred. 2550 file "iana-ssh-encryption-algs@2021-06-01.yang" 2552 module iana-ssh-encryption-algs { 2553 yang-version 1.1; 2554 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs"; 2555 prefix sshea; 2557 organization 2558 "Internet Assigned Numbers Authority (IANA)"; 2560 contact 2561 "Postal: ICANN 2562 12025 Waterfront Drive, Suite 300 2563 Los Angeles, CA 90094-2536 2564 United States of America 2565 Tel: +1 310 301 5800 2566 Email: iana@iana.org"; 2568 description 2569 "This module defines identities for the encryption algorithms 2570 defined in the 'Encryption Algorithm Names' sub-registry of the 2571 'Secure Shell (SSH) Protocol Parameters' registry maintained 2572 by IANA. 2574 Copyright (c) 2021 IETF Trust and the persons identified as 2575 authors of the code. All rights reserved. 2577 Redistribution and use in source and binary forms, with 2578 or without modification, is permitted pursuant to, and 2579 subject to the license terms contained in, the Simplified 2580 BSD License set forth in Section 4.c of the IETF Trust's 2581 Legal Provisions Relating to IETF Documents 2582 (https://trustee.ietf.org/license-info). 2584 The initial version of this YANG module is part of RFC EEEE 2585 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 2586 itself for full legal notices."; 2588 revision 2021-06-01 { 2589 description 2590 "Initial version"; 2591 reference 2592 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 2593 } 2595 identity encryption-alg-base { 2596 description 2597 "Base identity used to identify encryption algorithms."; 2598 } 2600 identity triple-des-cbc { // YANG IDs cannot begin with a number 2601 base encryption-alg-base; 2602 description 2603 "3DES-CBC"; 2604 reference 2605 "RFC 4253: 2606 The Secure Shell (SSH) Transport Layer Protocol"; 2607 } 2609 identity blowfish-cbc { 2610 base encryption-alg-base; 2611 description 2612 "BLOWFISH-CBC"; 2613 reference 2614 "RFC 4253: 2615 The Secure Shell (SSH) Transport Layer Protocol"; 2616 } 2618 identity twofish256-cbc { 2619 base encryption-alg-base; 2620 description 2621 "TWOFISH256-CBC"; 2622 reference 2623 "RFC 4253: 2624 The Secure Shell (SSH) Transport Layer Protocol"; 2625 } 2627 identity twofish-cbc { 2628 base encryption-alg-base; 2629 description 2630 "TWOFISH-CBC"; 2631 reference 2632 "RFC 4253: 2633 The Secure Shell (SSH) Transport Layer Protocol"; 2634 } 2636 identity twofish192-cbc { 2637 base encryption-alg-base; 2638 description 2639 "TWOFISH192-CBC"; 2640 reference 2641 "RFC 4253: 2642 The Secure Shell (SSH) Transport Layer Protocol"; 2643 } 2645 identity twofish128-cbc { 2646 base encryption-alg-base; 2647 description 2648 "TWOFISH128-CBC"; 2649 reference 2650 "RFC 4253: 2651 The Secure Shell (SSH) Transport Layer Protocol"; 2652 } 2654 identity aes256-cbc { 2655 base encryption-alg-base; 2656 description 2657 "AES256-CBC"; 2658 reference 2659 "RFC 4253: 2660 The Secure Shell (SSH) Transport Layer Protocol"; 2661 } 2663 identity aes192-cbc { 2664 base encryption-alg-base; 2665 description 2666 "AES192-CBC"; 2667 reference 2668 "RFC 4253: 2669 The Secure Shell (SSH) Transport Layer Protocol"; 2670 } 2672 identity aes128-cbc { 2673 base encryption-alg-base; 2674 description 2675 "AES128-CBC"; 2677 reference 2678 "RFC 4253: 2679 The Secure Shell (SSH) Transport Layer Protocol"; 2680 } 2682 identity serpent256-cbc { 2683 base encryption-alg-base; 2684 description 2685 "SERPENT256-CBC"; 2686 reference 2687 "RFC 4253: 2688 The Secure Shell (SSH) Transport Layer Protocol"; 2689 } 2691 identity serpent192-cbc { 2692 base encryption-alg-base; 2693 description 2694 "SERPENT192-CBC"; 2695 reference 2696 "RFC 4253: 2697 The Secure Shell (SSH) Transport Layer Protocol"; 2698 } 2700 identity serpent128-cbc { 2701 base encryption-alg-base; 2702 description 2703 "SERPENT128-CBC"; 2704 reference 2705 "RFC 4253: 2706 The Secure Shell (SSH) Transport Layer Protocol"; 2707 } 2709 identity arcfour { 2710 base encryption-alg-base; 2711 status obsolete; 2712 description 2713 "ARCFOUR"; 2714 reference 2715 "RFC 8758: 2716 Deprecating RC4 in Secure Shell (SSH)"; 2717 } 2719 identity idea-cbc { 2720 base encryption-alg-base; 2721 description 2722 "IDEA-CBC"; 2723 reference 2724 "RFC 4253: 2726 The Secure Shell (SSH) Transport Layer Protocol"; 2727 } 2729 identity cast128-cbc { 2730 base encryption-alg-base; 2731 description 2732 "CAST128-CBC"; 2733 reference 2734 "RFC 4253: 2735 The Secure Shell (SSH) Transport Layer Protocol"; 2736 } 2738 identity none { 2739 base encryption-alg-base; 2740 description 2741 "NONE"; 2742 reference 2743 "RFC 4253: 2744 The Secure Shell (SSH) Transport Layer Protocol"; 2745 } 2747 identity des-cbc { 2748 base encryption-alg-base; 2749 status obsolete; 2750 description 2751 "DES-CBC"; 2752 reference 2753 "FIPS 46-3: 2754 Data Encryption Standard (DES)"; 2755 } 2757 identity arcfour128 { 2758 base encryption-alg-base; 2759 status obsolete; 2760 description 2761 "ARCFOUR128"; 2762 reference 2763 "RFC 8758: 2764 Deprecating RC4 in Secure Shell (SSH)"; 2765 } 2767 identity arcfour256 { 2768 base encryption-alg-base; 2769 status obsolete; 2770 description 2771 "ARCFOUR256"; 2772 reference 2773 "RFC 8758: 2775 Deprecating RC4 in Secure Shell (SSH)"; 2776 } 2778 identity aes128-ctr { 2779 base encryption-alg-base; 2780 description 2781 "AES128-CTR"; 2782 reference 2783 "RFC 4344: 2784 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2785 } 2787 identity aes192-ctr { 2788 base encryption-alg-base; 2789 description 2790 "AES192-CTR"; 2791 reference 2792 "RFC 4344: 2793 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2794 } 2796 identity aes256-ctr { 2797 base encryption-alg-base; 2798 description 2799 "AES256-CTR"; 2800 reference 2801 "RFC 4344: 2802 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2803 } 2805 identity triple-des-ctr { // YANG IDs cannot begin with a number 2806 base encryption-alg-base; 2807 description 2808 "3DES-CTR"; 2809 reference 2810 "RFC 4344: 2811 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2812 } 2814 identity blowfish-ctr { 2815 base encryption-alg-base; 2816 description 2817 "BLOWFISH-CTR"; 2818 reference 2819 "RFC 4344: 2820 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2821 } 2822 identity twofish128-ctr { 2823 base encryption-alg-base; 2824 description 2825 "TWOFISH128-CTR"; 2826 reference 2827 "RFC 4344: 2828 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2829 } 2831 identity twofish192-ctr { 2832 base encryption-alg-base; 2833 description 2834 "TWOFISH192-CTR"; 2835 reference 2836 "RFC 4344: 2837 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2838 } 2840 identity twofish256-ctr { 2841 base encryption-alg-base; 2842 description 2843 "TWOFISH256-CTR"; 2844 reference 2845 "RFC 4344: 2846 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2847 } 2849 identity serpent128-ctr { 2850 base encryption-alg-base; 2851 description 2852 "SERPENT128-CTR"; 2853 reference 2854 "RFC 4344: 2855 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2856 } 2858 identity serpent192-ctr { 2859 base encryption-alg-base; 2860 description 2861 "SERPENT192-CTR"; 2862 reference 2863 "RFC 4344: 2864 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2865 } 2867 identity serpent256-ctr { 2868 base encryption-alg-base; 2869 description 2870 "SERPENT256-CTR"; 2871 reference 2872 "RFC 4344: 2873 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2874 } 2876 identity idea-ctr { 2877 base encryption-alg-base; 2878 description 2879 "IDEA-CTR"; 2880 reference 2881 "RFC 4344: 2882 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2883 } 2885 identity cast128-ctr { 2886 base encryption-alg-base; 2887 description 2888 "CAST128-CTR"; 2889 reference 2890 "RFC 4344: 2891 The Secure Shell (SSH) Transport Layer Encryption Modes"; 2892 } 2894 identity aead-aes-128-gcm { 2895 base encryption-alg-base; 2896 description 2897 "AEAD_AES_128_GCM"; 2898 reference 2899 "RFC 5647: 2900 AES Galois Counter Mode for the 2901 Secure Shell Transport Layer Protocol"; 2902 } 2904 identity aead-aes-256-gcm { 2905 base encryption-alg-base; 2906 description 2907 "AEAD_AES_256_GCM"; 2908 reference 2909 "RFC 5647: 2910 AES Galois Counter Mode for the 2911 Secure Shell Transport Layer Protocol"; 2912 } 2914 // Protocol-accessible Nodes 2916 container supported-algorithms { 2917 config false; 2918 description 2919 "A container for a list of encryption algorithms 2920 supported by the server."; 2921 leaf-list supported-algorithm { 2922 type identityref { 2923 base "sshea:encryption-alg-base"; 2924 } 2925 description 2926 "A encryption algorithm supported by the server."; 2927 } 2928 } 2930 } 2932 2934 A.2. Initial Module for the "MAC Algorithm Names" Registry 2936 A.2.1. Data Model Overview 2938 This section provides an overview of the "iana-ssh-mac-algs" module 2939 in terms of its identities and protocol-accessible nodes. 2941 A.2.1.1. Identities 2943 The following diagram lists the base "identity" statements defined in 2944 the module, of which there is just one, and illustrates that all the 2945 derived identity statements are generated from the associated IANA- 2946 maintained registry [IANA-MAC-ALGS]. 2948 Identities: 2949 +-- mac-alg-base 2950 +-- 2952 | The diagram above uses syntax that is similar to but not 2953 | defined in [RFC8340]. 2955 A.2.1.2. Protocol-accessible Nodes 2957 The following tree diagram [RFC8340] lists all the protocol- 2958 accessible nodes defined in the "iana-ssh-mac-alg" module: 2960 module: iana-ssh-mac-algs 2961 +--ro supported-algorithms 2962 +--ro supported-algorithm* identityref 2964 Comments: 2966 * Protocol-accessible nodes are those nodes that are accessible when 2967 the module is "implemented", as described in Section 5.6.5 of 2968 [RFC7950]. 2970 A.2.2. Example Usage 2972 The following example illustrates operational state data indicating 2973 the SSH MAC algorithms supported by the server: 2975 2978 sshma:hmac-sha2-256 2979 sshma:hmac-sha2-512 2980 sshma:aead-aes-256-gcm 2981 2983 A.2.3. YANG Module 2985 Following are the complete contents to the initial IANA-maintained 2986 YANG module. Please note that the date "2021-06-01" reflects the day 2987 on which the extraction occurred. 2989 file "iana-ssh-mac-algs@2021-06-01.yang" 2991 module iana-ssh-mac-algs { 2992 yang-version 1.1; 2993 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs"; 2994 prefix sshma; 2996 organization 2997 "Internet Assigned Numbers Authority (IANA)"; 2999 contact 3000 "Postal: ICANN 3001 12025 Waterfront Drive, Suite 300 3002 Los Angeles, CA 90094-2536 3003 United States of America 3004 Tel: +1 310 301 5800 3005 Email: iana@iana.org"; 3007 description 3008 "This module defines identities for the MAC algorithms 3009 defined in the 'MAC Algorithm Names' sub-registry of the 3010 'Secure Shell (SSH) Protocol Parameters' registry maintained 3011 by IANA. 3013 Copyright (c) 2021 IETF Trust and the persons identified as 3014 authors of the code. All rights reserved. 3016 Redistribution and use in source and binary forms, with 3017 or without modification, is permitted pursuant to, and 3018 subject to the license terms contained in, the Simplified 3019 BSD License set forth in Section 4.c of the IETF Trust's 3020 Legal Provisions Relating to IETF Documents 3021 (https://trustee.ietf.org/license-info). 3023 The initial version of this YANG module is part of RFC EEEE 3024 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 3025 itself for full legal notices."; 3027 revision 2021-06-01 { 3028 description 3029 "Initial version"; 3030 reference 3031 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 3032 } 3034 identity mac-alg-base { 3035 description 3036 "Base identity used to identify message authentication 3037 code (MAC) algorithms."; 3038 } 3040 identity hmac-sha1 { 3041 base mac-alg-base; 3042 description 3043 "HMAC-SHA1"; 3044 reference 3045 "RFC 4253: 3046 The Secure Shell (SSH) Transport Layer Protocol"; 3047 } 3049 identity hmac-sha1-96 { 3050 base mac-alg-base; 3051 description 3052 "HMAC-SHA1-96"; 3053 reference 3054 "RFC 4253: 3055 The Secure Shell (SSH) Transport Layer Protocol"; 3056 } 3058 identity hmac-md5 { 3059 base mac-alg-base; 3060 description 3061 "HMAC-MD5"; 3063 reference 3064 "RFC 4253: 3065 The Secure Shell (SSH) Transport Layer Protocol"; 3066 } 3068 identity hmac-md5-96 { 3069 base mac-alg-base; 3070 description 3071 "HMAC-MD5-96"; 3072 reference 3073 "RFC 4253: 3074 The Secure Shell (SSH) Transport Layer Protocol"; 3075 } 3077 identity none { 3078 base mac-alg-base; 3079 description 3080 "NONE"; 3081 reference 3082 "RFC 4253: 3083 The Secure Shell (SSH) Transport Layer Protocol"; 3084 } 3086 identity aead-aes-128-gcm { 3087 base mac-alg-base; 3088 description 3089 "AEAD_AES_128_GCM"; 3090 reference 3091 "RFC 5647: 3092 AES Galois Counter Mode for the 3093 Secure Shell Transport Layer Protocol"; 3094 } 3096 identity aead-aes-256-gcm { 3097 base mac-alg-base; 3098 description 3099 "AEAD_AES_256_GCM"; 3100 reference 3101 "RFC 5647: 3102 AES Galois Counter Mode for the 3103 Secure Shell Transport Layer Protocol"; 3104 } 3106 identity hmac-sha2-256 { 3107 base mac-alg-base; 3108 description 3109 "HMAC-SHA2-256"; 3110 reference 3111 "RFC 6668: 3112 SHA-2 Data Integrity Verification for the 3113 Secure Shell (SSH) Transport Layer Protocol"; 3114 } 3116 identity hmac-sha2-512 { 3117 base mac-alg-base; 3118 description 3119 "HMAC-SHA2-512"; 3120 reference 3121 "RFC 6668: 3122 SHA-2 Data Integrity Verification for the 3123 Secure Shell (SSH) Transport Layer Protocol"; 3124 } 3126 // Protocol-accessible Nodes 3128 container supported-algorithms { 3129 config false; 3130 description 3131 "A container for a list of MAC algorithms 3132 supported by the server."; 3133 leaf-list supported-algorithm { 3134 type identityref { 3135 base "sshma:mac-alg-base"; 3136 } 3137 description 3138 "A MAC algorithm supported by the server."; 3139 } 3140 } 3142 } 3144 3146 A.3. Initial Module for the "Public Key Algorithm Names" Registry 3148 A.3.1. Data Model Overview 3150 This section provides an overview of the "iana-ssh-public-key-algs" 3151 module in terms of its identities and protocol-accessible nodes. 3153 A.3.1.1. Identities 3155 The following diagram lists the base "identity" statements defined in 3156 the module, of which there is just one, and illustrates that all the 3157 derived identity statements are generated from the associated IANA- 3158 maintained registry [IANA-PUBKEY-ALGS]. 3160 Identities: 3161 +-- public-key-alg-base 3162 +-- 3164 | The diagram above uses syntax that is similar to but not 3165 | defined in [RFC8340]. 3167 A.3.1.2. Protocol-accessible Nodes 3169 The following tree diagram [RFC8340] lists all the protocol- 3170 accessible nodes defined in the "iana-ssh-public-key-alg" module: 3172 module: iana-ssh-public-key-algs 3173 +--ro supported-algorithms 3174 +--ro supported-algorithm* identityref 3176 Comments: 3178 * Protocol-accessible nodes are those nodes that are accessible when 3179 the module is "implemented", as described in Section 5.6.5 of 3180 [RFC7950]. 3182 A.3.2. Example Usage 3184 The following example illustrates operational state data indicating 3185 the SSH public key algorithms supported by the server: 3187 =============== NOTE: '\' line wrapping per RFC 8792 ================ 3189 3193 sshpka:rsa-sha2-256 3194 sshpka:rsa-sha2-512 3195 sshpka:spki-sign-rsa 3196 sshpka:pgp-sign-dss 3197 sshpka:x509v3-rsa2048-sha256 3199 sshpka:ecdsa-sha2-nistp256 3201 sshpka:ecdsa-sha2-1.3.132.0.37 3203 sshpka:ssh-ed25519 3204 3206 A.3.3. YANG Module 3208 Following are the complete contents to the initial IANA-maintained 3209 YANG module. Please note that the date "2021-06-01" reflects the day 3210 on which the extraction occurred. 3212 file "iana-ssh-public-key-algs@2021-06-01.yang" 3214 module iana-ssh-public-key-algs { 3215 yang-version 1.1; 3216 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs"; 3217 prefix sshpka; 3219 organization 3220 "Internet Assigned Numbers Authority (IANA)"; 3222 contact 3223 "Postal: ICANN 3224 12025 Waterfront Drive, Suite 300 3225 Los Angeles, CA 90094-2536 3226 United States of America 3227 Tel: +1 310 301 5800 3228 Email: iana@iana.org"; 3230 description 3231 "This module defines identities for the public key algorithms 3232 defined in the 'Public Key Algorithm Names' sub-registry of the 3233 'Secure Shell (SSH) Protocol Parameters' registry maintained 3234 by IANA. 3236 Copyright (c) 2021 IETF Trust and the persons identified as 3237 authors of the code. All rights reserved. 3239 Redistribution and use in source and binary forms, with 3240 or without modification, is permitted pursuant to, and 3241 subject to the license terms contained in, the Simplified 3242 BSD License set forth in Section 4.c of the IETF Trust's 3243 Legal Provisions Relating to IETF Documents 3244 (https://trustee.ietf.org/license-info). 3246 The initial version of this YANG module is part of RFC EEEE 3247 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 3248 itself for full legal notices."; 3250 revision 2021-06-01 { 3251 description 3252 "Initial version"; 3253 reference 3254 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 3255 } 3257 identity public-key-alg-base { 3258 description 3259 "Base identity used to identify public key algorithms."; 3260 } 3262 identity ssh-dss { 3263 base public-key-alg-base; 3264 description 3265 "SSH-DSS"; 3266 reference 3267 "RFC 4253: 3268 The Secure Shell (SSH) Transport Layer Protocol"; 3269 } 3271 identity ssh-rsa { 3272 base public-key-alg-base; 3273 description 3274 "SSH-RSA"; 3275 reference 3276 "RFC 4253: 3277 The Secure Shell (SSH) Transport Layer Protocol"; 3278 } 3280 identity rsa-sha2-256 { 3281 base public-key-alg-base; 3282 description 3283 "RSA-SHA2-256"; 3284 reference 3285 "RFC 8332: 3286 Use of RSA Keys with SHA-256 and SHA-512 3287 in the Secure Shell (SSH) Protocol"; 3288 } 3290 identity rsa-sha2-512 { 3291 base public-key-alg-base; 3292 description 3293 "RSA-SHA2-512"; 3294 reference 3295 "RFC 8332: 3296 Use of RSA Keys with SHA-256 and SHA-512 3297 in the Secure Shell (SSH) Protocol"; 3298 } 3300 identity spki-sign-rsa { 3301 base public-key-alg-base; 3302 description 3303 "SPKI-SIGN-RSA"; 3304 reference 3305 "RFC 4253: 3306 The Secure Shell (SSH) Transport Layer Protocol"; 3307 } 3309 identity spki-sign-dss { 3310 base public-key-alg-base; 3311 description 3312 "SPKI-SIGN-DSS"; 3313 reference 3314 "RFC 4253: 3315 The Secure Shell (SSH) Transport Layer Protocol"; 3316 } 3318 identity pgp-sign-rsa { 3319 base public-key-alg-base; 3320 description 3321 "PGP-SIGN-RSA"; 3322 reference 3323 "RFC 4253: 3324 The Secure Shell (SSH) Transport Layer Protocol"; 3325 } 3327 identity pgp-sign-dss { 3328 base public-key-alg-base; 3329 description 3330 "PGP-SIGN-DSS"; 3331 reference 3332 "RFC 4253: 3333 The Secure Shell (SSH) Transport Layer Protocol"; 3334 } 3336 identity null { 3337 base public-key-alg-base; 3338 description 3339 "NULL"; 3340 reference 3341 "RFC 4462: 3342 Generic Security Service Application Program Interface 3343 (GSS-API) Authentication and Key Exchange for the 3344 Secure Shell (SSH) Protocol"; 3345 } 3347 identity ecdsa-sha2-nistp256 { 3348 base public-key-alg-base; 3349 description 3350 "ECDSA-SHA2-NISTP256 (secp256r1)"; 3351 reference 3352 "RFC 5656: 3353 Elliptic Curve Algorithm Integration in the 3354 Secure Shell Transport Layer"; 3355 } 3357 identity ecdsa-sha2-nistp384 { 3358 base public-key-alg-base; 3359 description 3360 "ECDSA-SHA2-NISTP384 (secp384r1)"; 3361 reference 3362 "RFC 5656: 3363 Elliptic Curve Algorithm Integration in the 3364 Secure Shell Transport Layer"; 3365 } 3367 identity ecdsa-sha2-nistp521 { 3368 base public-key-alg-base; 3369 description 3370 "ECDSA-SHA2-NISTP521 (secp521r1)"; 3371 reference 3372 "RFC 5656: 3373 Elliptic Curve Algorithm Integration in the 3374 Secure Shell Transport Layer"; 3375 } 3377 identity ecdsa-sha2-1.3.132.0.1 { 3378 base public-key-alg-base; 3379 description 3380 "ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)"; 3381 reference 3382 "RFC 5656: 3383 Elliptic Curve Algorithm Integration in the 3384 Secure Shell Transport Layer"; 3385 } 3387 identity ecdsa-sha2-1.2.840.10045.3.1.1 { 3388 base public-key-alg-base; 3389 description 3390 "ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 3391 reference 3392 "RFC 5656: 3393 Elliptic Curve Algorithm Integration in the 3394 Secure Shell Transport Layer"; 3395 } 3397 identity ecdsa-sha2-1.3.132.0.33 { 3398 base public-key-alg-base; 3399 description 3400 "ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)"; 3401 reference 3402 "RFC 5656: 3403 Elliptic Curve Algorithm Integration in the 3404 Secure Shell Transport Layer"; 3405 } 3407 identity ecdsa-sha2-1.3.132.0.26 { 3408 base public-key-alg-base; 3409 description 3410 "ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)"; 3411 reference 3412 "RFC 5656: 3413 Elliptic Curve Algorithm Integration in the 3414 Secure Shell Transport Layer"; 3415 } 3417 identity ecdsa-sha2-1.3.132.0.27 { 3418 base public-key-alg-base; 3419 description 3420 "ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)"; 3421 reference 3422 "RFC 5656: 3423 Elliptic Curve Algorithm Integration in the 3424 Secure Shell Transport Layer"; 3425 } 3427 identity ecdsa-sha2-1.3.132.0.16 { 3428 base public-key-alg-base; 3429 description 3430 "ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)"; 3431 reference 3432 "RFC 5656: 3433 Elliptic Curve Algorithm Integration in the 3434 Secure Shell Transport Layer"; 3435 } 3437 identity ecdsa-sha2-1.3.132.0.36 { 3438 base public-key-alg-base; 3439 description 3440 "ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)"; 3441 reference 3442 "RFC 5656: 3443 Elliptic Curve Algorithm Integration in the 3444 Secure Shell Transport Layer"; 3445 } 3446 identity ecdsa-sha2-1.3.132.0.37 { 3447 base public-key-alg-base; 3448 description 3449 "ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)"; 3450 reference 3451 "RFC 5656: 3452 Elliptic Curve Algorithm Integration in the 3453 Secure Shell Transport Layer"; 3454 } 3456 identity ecdsa-sha2-1.3.132.0.38 { 3457 base public-key-alg-base; 3458 description 3459 "ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)"; 3460 reference 3461 "RFC 5656: 3462 Elliptic Curve Algorithm Integration in the 3463 Secure Shell Transport Layer"; 3464 } 3466 identity x509v3-ssh-dss { 3467 base public-key-alg-base; 3468 description 3469 "X509V3-SSH-DSS"; 3470 reference 3471 "RFC 6187: 3472 X.509v3 Certificates for Secure Shell Authentication"; 3473 } 3475 identity x509v3-ssh-rsa { 3476 base public-key-alg-base; 3477 description 3478 "X509V3-SSH-RSA"; 3479 reference 3480 "RFC 6187: 3481 X.509v3 Certificates for Secure Shell Authentication"; 3482 } 3484 identity x509v3-rsa2048-sha256 { 3485 base public-key-alg-base; 3486 description 3487 "X509V3-RSA2048-SHA256"; 3488 reference 3489 "RFC 6187: 3490 X.509v3 Certificates for Secure Shell Authentication"; 3491 } 3493 identity x509v3-ecdsa-sha2-nistp256 { 3494 base public-key-alg-base; 3495 description 3496 "X509V3-ECDSA-SHA2-NISTP256 (secp256r1)"; 3497 reference 3498 "RFC 6187: 3499 X.509v3 Certificates for Secure Shell Authentication"; 3500 } 3502 identity x509v3-ecdsa-sha2-nistp384 { 3503 base public-key-alg-base; 3504 description 3505 "X509V3-ECDSA-SHA2-NISTP384 (secp384r1)"; 3506 reference 3507 "RFC 6187: 3508 X.509v3 Certificates for Secure Shell Authentication"; 3509 } 3511 identity x509v3-ecdsa-sha2-nistp521 { 3512 base public-key-alg-base; 3513 description 3514 "X509V3-ECDSA-SHA2-NISTP521 (secp521r1)"; 3515 reference 3516 "RFC 6187: 3517 X.509v3 Certificates for Secure Shell Authentication"; 3518 } 3520 identity x509v3-ecdsa-sha2-1.3.132.0.1 { 3521 base public-key-alg-base; 3522 description 3523 "X509V3-ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)"; 3524 reference 3525 "RFC 6187: 3526 X.509v3 Certificates for Secure Shell Authentication"; 3527 } 3529 identity x509v3-ecdsa-sha2-1.2.840.10045.3.1.1 { 3530 base public-key-alg-base; 3531 description 3532 "X509V3-ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 3533 reference 3534 "RFC 6187: 3535 X.509v3 Certificates for Secure Shell Authentication"; 3536 } 3538 identity x509v3-ecdsa-sha2-1.3.132.0.33 { 3539 base public-key-alg-base; 3540 description 3541 "X509V3-ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)"; 3543 reference 3544 "RFC 6187: 3545 X.509v3 Certificates for Secure Shell Authentication"; 3546 } 3548 identity x509v3-ecdsa-sha2-1.3.132.0.26 { 3549 base public-key-alg-base; 3550 description 3551 "X509V3-ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)"; 3552 reference 3553 "RFC 6187: 3554 X.509v3 Certificates for Secure Shell Authentication"; 3555 } 3557 identity x509v3-ecdsa-sha2-1.3.132.0.27 { 3558 base public-key-alg-base; 3559 description 3560 "X509V3-ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)"; 3561 reference 3562 "RFC 6187: 3563 X.509v3 Certificates for Secure Shell Authentication"; 3564 } 3566 identity x509v3-ecdsa-sha2-1.3.132.0.16 { 3567 base public-key-alg-base; 3568 description 3569 "X509V3-ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)"; 3570 reference 3571 "RFC 6187: 3572 X.509v3 Certificates for Secure Shell Authentication"; 3573 } 3575 identity x509v3-ecdsa-sha2-1.3.132.0.36 { 3576 base public-key-alg-base; 3577 description 3578 "X509V3-ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)"; 3579 reference 3580 "RFC 6187: 3581 X.509v3 Certificates for Secure Shell Authentication"; 3582 } 3584 identity x509v3-ecdsa-sha2-1.3.132.0.37 { 3585 base public-key-alg-base; 3586 description 3587 "X509V3-ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)"; 3588 reference 3589 "RFC 6187: 3590 X.509v3 Certificates for Secure Shell Authentication"; 3592 } 3594 identity x509v3-ecdsa-sha2-1.3.132.0.38 { 3595 base public-key-alg-base; 3596 description 3597 "X509V3-ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)"; 3598 reference 3599 "RFC 6187: 3600 X.509v3 Certificates for Secure Shell Authentication"; 3601 } 3603 identity ssh-ed25519 { 3604 base public-key-alg-base; 3605 description 3606 "SSH-ED25519"; 3607 reference 3608 "RFC 8709: 3609 Ed25519 and Ed448 Public Key Algorithms for the 3610 Secure Shell (SSH) Protocol"; 3611 } 3613 identity ssh-ed448 { 3614 base public-key-alg-base; 3615 description 3616 "SSH-ED448"; 3617 reference 3618 "RFC 8709: 3619 Ed25519 and Ed448 Public Key Algorithms for the 3620 Secure Shell (SSH) Protocol"; 3621 } 3623 // Protocol-accessible Nodes 3625 container supported-algorithms { 3626 config false; 3627 description 3628 "A container for a list of public key algorithms 3629 supported by the server."; 3630 leaf-list supported-algorithm { 3631 type identityref { 3632 base "sshpka:public-key-alg-base"; 3633 } 3634 description 3635 "A public key algorithm supported by the server."; 3636 } 3637 } 3639 } 3640 3642 A.4. Initial Module for the "Key Exchange Method Names" Registry 3644 A.4.1. Data Model Overview 3646 This section provides an overview of the "iana-ssh-key-exchange-algs" 3647 module in terms of its identities and protocol-accessible nodes. 3649 A.4.1.1. Identities 3651 The following diagram lists the base "identity" statements defined in 3652 the module, of which there is just one, and illustrates that all the 3653 derived identity statements are generated from the associated IANA- 3654 maintained registry [IANA-KEYEX-ALGS]. 3656 Identities: 3657 +-- key-exchange-alg-base 3658 +-- 3660 | The diagram above uses syntax that is similar to but not 3661 | defined in [RFC8340]. 3663 A.4.1.2. Protocol-accessible Nodes 3665 The following tree diagram [RFC8340] lists all the protocol- 3666 accessible nodes defined in the "iana-ssh-key-exchange-alg" module: 3668 module: iana-ssh-key-exchange-algs 3669 +--ro supported-algorithms 3670 +--ro supported-algorithm* identityref 3672 Comments: 3674 * Protocol-accessible nodes are those nodes that are accessible when 3675 the module is "implemented", as described in Section 5.6.5 of 3676 [RFC7950]. 3678 A.4.2. Example Usage 3680 The following example illustrates operational state data indicating 3681 the SSH key exchange algorithms supported by the server: 3683 =============== NOTE: '\' line wrapping per RFC 8792 ================ 3685 3689 sshkea:diffie-hellman-group-exchange-sha256 3691 sshkea:ecdh-sha2-nistp256 3693 sshkea:rsa2048-sha256 3694 sshkea:gss-group1-sha1-curve25519-sha256 3696 sshkea:gss-group14-sha1-nistp256 3698 sshkea:gss-gex-sha1-nistp256 3700 sshkea:gss-group14-sha256-1.2.840.10045.3.1.1\ 3701 3702 sshkea:curve25519-sha256 3703 3705 A.4.3. YANG Module 3707 Following are the complete contents to the initial IANA-maintained 3708 YANG module. Please note that the date "2021-06-01" reflects the day 3709 on which the extraction occurred. 3711 file "iana-ssh-key-exchange-algs@2021-06-01.yang" 3713 module iana-ssh-key-exchange-algs { 3714 yang-version 1.1; 3715 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs"; 3716 prefix sshkea; 3718 organization 3719 "Internet Assigned Numbers Authority (IANA)"; 3721 contact 3722 "Postal: ICANN 3723 12025 Waterfront Drive, Suite 300 3724 Los Angeles, CA 90094-2536 3725 United States of America 3726 Tel: +1 310 301 5800 3727 Email: iana@iana.org"; 3729 description 3730 "This module defines identities for the key exchange algorithms 3731 defined in the 'Key Exchange Method Names' sub-registry of the 3732 'Secure Shell (SSH) Protocol Parameters' registry maintained 3733 by IANA. 3735 Copyright (c) 2021 IETF Trust and the persons identified 3736 as authors of the code. All rights reserved. 3738 Redistribution and use in source and binary forms, with 3739 or without modification, is permitted pursuant to, and 3740 subject to the license terms contained in, the Simplified 3741 BSD License set forth in Section 4.c of the IETF Trust's 3742 Legal Provisions Relating to IETF Documents 3743 (https://trustee.ietf.org/license-info). 3745 The initial version of this YANG module is part of RFC EEEE 3746 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 3747 itself for full legal notices."; 3749 revision 2021-06-01 { 3750 description 3751 "Initial version"; 3752 reference 3753 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 3754 } 3756 identity key-exchange-alg-base { 3757 description 3758 "Base identity used to identify key exchange algorithms."; 3759 } 3761 identity diffie-hellman-group-exchange-sha1 { 3762 base key-exchange-alg-base; 3763 description 3764 "DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1"; 3765 reference 3766 "RFC 4419: 3767 Diffie-Hellman Group Exchange for the 3768 Secure Shell (SSH) Transport Layer Protocol"; 3769 } 3771 identity diffie-hellman-group-exchange-sha256 { 3772 base key-exchange-alg-base; 3773 description 3774 "DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256"; 3775 reference 3776 "RFC 4419: 3777 Diffie-Hellman Group Exchange for the 3778 Secure Shell (SSH) Transport Layer Protocol"; 3780 } 3782 identity diffie-hellman-group1-sha1 { 3783 base key-exchange-alg-base; 3784 description 3785 "DIFFIE-HELLMAN-GROUP1-SHA1"; 3786 reference 3787 "RFC 4253: 3788 The Secure Shell (SSH) Transport Layer Protocol"; 3789 } 3791 identity diffie-hellman-group14-sha1 { 3792 base key-exchange-alg-base; 3793 description 3794 "DIFFIE-HELLMAN-GROUP14-SHA1"; 3795 reference 3796 "RFC 4253: 3797 The Secure Shell (SSH) Transport Layer Protocol"; 3798 } 3800 identity diffie-hellman-group14-sha256 { 3801 base key-exchange-alg-base; 3802 description 3803 "DIFFIE-HELLMAN-GROUP14-SHA256"; 3804 reference 3805 "RFC 8268: 3806 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 3807 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 3808 } 3810 identity diffie-hellman-group15-sha512 { 3811 base key-exchange-alg-base; 3812 description 3813 "DIFFIE-HELLMAN-GROUP15-SHA512"; 3814 reference 3815 "RFC 8268: 3816 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 3817 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 3818 } 3820 identity diffie-hellman-group16-sha512 { 3821 base key-exchange-alg-base; 3822 description 3823 "DIFFIE-HELLMAN-GROUP16-SHA512"; 3824 reference 3825 "RFC 8268: 3826 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 3827 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 3829 } 3831 identity diffie-hellman-group17-sha512 { 3832 base key-exchange-alg-base; 3833 description 3834 "DIFFIE-HELLMAN-GROUP17-SHA512"; 3835 reference 3836 "RFC 8268: 3837 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 3838 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 3839 } 3841 identity diffie-hellman-group18-sha512 { 3842 base key-exchange-alg-base; 3843 description 3844 "DIFFIE-HELLMAN-GROUP18-SHA512"; 3845 reference 3846 "RFC 8268: 3847 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 3848 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 3849 } 3851 identity ecdh-sha2-nistp256 { 3852 base key-exchange-alg-base; 3853 description 3854 "ECDH-SHA2-NISTP256 (secp256r1)"; 3855 reference 3856 "RFC 5656: 3857 Elliptic Curve Algorithm Integration in the 3858 Secure Shell Transport Layer"; 3859 } 3861 identity ecdh-sha2-nistp384 { 3862 base key-exchange-alg-base; 3863 description 3864 "ECDH-SHA2-NISTP384 (secp384r1)"; 3865 reference 3866 "RFC 5656: 3867 Elliptic Curve Algorithm Integration in the 3868 Secure Shell Transport Layer"; 3869 } 3871 identity ecdh-sha2-nistp521 { 3872 base key-exchange-alg-base; 3873 description 3874 "ECDH-SHA2-NISTP521 (secp521r1)"; 3875 reference 3876 "RFC 5656: 3878 Elliptic Curve Algorithm Integration in the 3879 Secure Shell Transport Layer"; 3880 } 3882 identity ecdh-sha2-1.3.132.0.1 { 3883 base key-exchange-alg-base; 3884 description 3885 "ECDH-SHA2-1.3.132.0.1 (nistk163, sect163k1)"; 3886 reference 3887 "RFC 5656: 3888 Elliptic Curve Algorithm Integration in the 3889 Secure Shell Transport Layer"; 3890 } 3892 identity ecdh-sha2-1.2.840.10045.3.1.1 { 3893 base key-exchange-alg-base; 3894 description 3895 "ECDH-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 3896 reference 3897 "RFC 5656: 3898 Elliptic Curve Algorithm Integration in the 3899 Secure Shell Transport Layer"; 3900 } 3902 identity ecdh-sha2-1.3.132.0.33 { 3903 base key-exchange-alg-base; 3904 description 3905 "ECDH-SHA2-1.3.132.0.33 (nistp224, secp224r1)"; 3906 reference 3907 "RFC 5656: 3908 Elliptic Curve Algorithm Integration in the 3909 Secure Shell Transport Layer"; 3910 } 3912 identity ecdh-sha2-1.3.132.0.26 { 3913 base key-exchange-alg-base; 3914 description 3915 "ECDH-SHA2-1.3.132.0.26 (nistk233, sect233k1)"; 3916 reference 3917 "RFC 5656: 3918 Elliptic Curve Algorithm Integration in the 3919 Secure Shell Transport Layer"; 3920 } 3922 identity ecdh-sha2-1.3.132.0.27 { 3923 base key-exchange-alg-base; 3924 description 3925 "ECDH-SHA2-1.3.132.0.27 (nistb233, sect233r1)"; 3927 reference 3928 "RFC 5656: 3929 Elliptic Curve Algorithm Integration in the 3930 Secure Shell Transport Layer"; 3931 } 3933 identity ecdh-sha2-1.3.132.0.16 { 3934 base key-exchange-alg-base; 3935 description 3936 "ECDH-SHA2-1.3.132.0.16 (nistk283, sect283k1)"; 3937 reference 3938 "RFC 5656: 3939 Elliptic Curve Algorithm Integration in the 3940 Secure Shell Transport Layer"; 3941 } 3943 identity ecdh-sha2-1.3.132.0.36 { 3944 base key-exchange-alg-base; 3945 description 3946 "ECDH-SHA2-1.3.132.0.36 (nistk409, sect409k1)"; 3947 reference 3948 "RFC 5656: 3949 Elliptic Curve Algorithm Integration in the 3950 Secure Shell Transport Layer"; 3951 } 3953 identity ecdh-sha2-1.3.132.0.37 { 3954 base key-exchange-alg-base; 3955 description 3956 "ECDH-SHA2-1.3.132.0.37 (nistb409, sect409r1)"; 3957 reference 3958 "RFC 5656: 3959 Elliptic Curve Algorithm Integration in the 3960 Secure Shell Transport Layer"; 3961 } 3963 identity ecdh-sha2-1.3.132.0.38 { 3964 base key-exchange-alg-base; 3965 description 3966 "ECDH-SHA2-1.3.132.0.38 (nistt571, sect571k1)"; 3967 reference 3968 "RFC 5656: 3969 Elliptic Curve Algorithm Integration in the 3970 Secure Shell Transport Layer"; 3971 } 3973 identity ecmqv-sha2 { 3974 base key-exchange-alg-base; 3975 description 3976 "ECMQV-SHA2"; 3977 reference 3978 "RFC 5656: 3979 Elliptic Curve Algorithm Integration in the 3980 Secure Shell Transport Layer"; 3981 } 3983 identity gss-group1-sha1-nistp256 { 3984 base key-exchange-alg-base; 3985 status deprecated; 3986 description 3987 "GSS-GROUP1-SHA1-NISTP256 (secp256r1)"; 3988 reference 3989 "RFC 8732: 3990 Generic Security Service Application Program Interface 3991 (GSS-API) Key Exchange with SHA-2"; 3992 } 3994 identity gss-group1-sha1-nistp384 { 3995 base key-exchange-alg-base; 3996 status deprecated; 3997 description 3998 "GSS-GROUP1-SHA1-NISTP384 (secp384r1)"; 3999 reference 4000 "RFC 8732: 4001 Generic Security Service Application Program Interface 4002 (GSS-API) Key Exchange with SHA-2"; 4003 } 4005 identity gss-group1-sha1-nistp521 { 4006 base key-exchange-alg-base; 4007 status deprecated; 4008 description 4009 "GSS-GROUP1-SHA1-NISTP521 (secp521r1)"; 4010 reference 4011 "RFC 8732: 4012 Generic Security Service Application Program Interface 4013 (GSS-API) Key Exchange with SHA-2"; 4014 } 4016 identity gss-group1-sha1-1.3.132.0.1 { 4017 base key-exchange-alg-base; 4018 status deprecated; 4019 description 4020 "GSS-GROUP1-SHA1-1.3.132.0.1 (nistk163, sect163k1)"; 4021 reference 4022 "RFC 8732: 4024 Generic Security Service Application Program Interface 4025 (GSS-API) Key Exchange with SHA-2"; 4026 } 4028 identity gss-group1-sha1-1.2.840.10045.3.1.1 { 4029 base key-exchange-alg-base; 4030 status deprecated; 4031 description 4032 "GSS-GROUP1-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4033 reference 4034 "RFC 8732: 4035 Generic Security Service Application Program Interface 4036 (GSS-API) Key Exchange with SHA-2"; 4037 } 4039 identity gss-group1-sha1-1.3.132.0.33 { 4040 base key-exchange-alg-base; 4041 status deprecated; 4042 description 4043 "GSS-GROUP1-SHA1-1.3.132.0.33 (nistp224, secp224r1)"; 4044 reference 4045 "RFC 8732: 4046 Generic Security Service Application Program Interface 4047 (GSS-API) Key Exchange with SHA-2"; 4048 } 4050 identity gss-group1-sha1-1.3.132.0.26 { 4051 base key-exchange-alg-base; 4052 status deprecated; 4053 description 4054 "GSS-GROUP1-SHA1-1.3.132.0.26 (nistk233, sect233k1)"; 4055 reference 4056 "RFC 8732: 4057 Generic Security Service Application Program Interface 4058 (GSS-API) Key Exchange with SHA-2"; 4059 } 4061 identity gss-group1-sha1-1.3.132.0.27 { 4062 base key-exchange-alg-base; 4063 status deprecated; 4064 description 4065 "GSS-GROUP1-SHA1-1.3.132.0.27 (nistb233, sect233r1)"; 4066 reference 4067 "RFC 8732: 4068 Generic Security Service Application Program Interface 4069 (GSS-API) Key Exchange with SHA-2"; 4070 } 4071 identity gss-group1-sha1-1.3.132.0.16 { 4072 base key-exchange-alg-base; 4073 status deprecated; 4074 description 4075 "GSS-GROUP1-SHA1-1.3.132.0.16 (nistk283, sect283k1)"; 4076 reference 4077 "RFC 8732: 4078 Generic Security Service Application Program Interface 4079 (GSS-API) Key Exchange with SHA-2"; 4080 } 4082 identity gss-group1-sha1-1.3.132.0.36 { 4083 base key-exchange-alg-base; 4084 status deprecated; 4085 description 4086 "GSS-GROUP1-SHA1-1.3.132.0.36 (nistk409, sect409k1)"; 4087 reference 4088 "RFC 8732: 4089 Generic Security Service Application Program Interface 4090 (GSS-API) Key Exchange with SHA-2"; 4091 } 4093 identity gss-group1-sha1-1.3.132.0.37 { 4094 base key-exchange-alg-base; 4095 status deprecated; 4096 description 4097 "GSS-GROUP1-SHA1-1.3.132.0.37 (nistb409, sect409r1)"; 4098 reference 4099 "RFC 8732: 4100 Generic Security Service Application Program Interface 4101 (GSS-API) Key Exchange with SHA-2"; 4102 } 4104 identity gss-group1-sha1-1.3.132.0.38 { 4105 base key-exchange-alg-base; 4106 status deprecated; 4107 description 4108 "GSS-GROUP1-SHA1-1.3.132.0.38 (nistt571, sect571k1)"; 4109 reference 4110 "RFC 8732: 4111 Generic Security Service Application Program Interface 4112 (GSS-API) Key Exchange with SHA-2"; 4113 } 4115 identity gss-group1-sha1-curve25519-sha256 { 4116 base key-exchange-alg-base; 4117 status deprecated; 4118 description 4119 "GSS-GROUP1-SHA1-CURVE25519-SHA256"; 4120 reference 4121 "RFC 8732: 4122 Generic Security Service Application Program Interface 4123 (GSS-API) Key Exchange with SHA-2"; 4124 } 4126 identity gss-group1-sha1-curve448-sha512 { 4127 base key-exchange-alg-base; 4128 status deprecated; 4129 description 4130 "GSS-GROUP1-SHA1-CURVE448-SHA512"; 4131 reference 4132 "RFC 8732: 4133 Generic Security Service Application Program Interface 4134 (GSS-API) Key Exchange with SHA-2"; 4135 } 4137 identity gss-group14-sha1-nistp256 { 4138 base key-exchange-alg-base; 4139 status deprecated; 4140 description 4141 "GSS-GROUP14-SHA1-NISTP256 (secp256r1)"; 4142 reference 4143 "RFC 8732: 4144 Generic Security Service Application Program Interface 4145 (GSS-API) Key Exchange with SHA-2"; 4146 } 4148 identity gss-group14-sha1-nistp384 { 4149 base key-exchange-alg-base; 4150 status deprecated; 4151 description 4152 "GSS-GROUP14-SHA1-NISTP384 (secp384r1)"; 4153 reference 4154 "RFC 8732: 4155 Generic Security Service Application Program Interface 4156 (GSS-API) Key Exchange with SHA-2"; 4157 } 4159 identity gss-group14-sha1-nistp521 { 4160 base key-exchange-alg-base; 4161 status deprecated; 4162 description 4163 "GSS-GROUP14-SHA1-NISTP521 (secp521r1)"; 4164 reference 4165 "RFC 8732: 4166 Generic Security Service Application Program Interface 4167 (GSS-API) Key Exchange with SHA-2"; 4168 } 4170 identity gss-group14-sha1-1.3.132.0.1 { 4171 base key-exchange-alg-base; 4172 status deprecated; 4173 description 4174 "GSS-GROUP14-SHA1-1.3.132.0.1 (nistk163, sect163k1)"; 4175 reference 4176 "RFC 8732: 4177 Generic Security Service Application Program Interface 4178 (GSS-API) Key Exchange with SHA-2"; 4179 } 4181 identity gss-group14-sha1-1.2.840.10045.3.1.1 { 4182 base key-exchange-alg-base; 4183 status deprecated; 4184 description 4185 "GSS-GROUP14-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4186 reference 4187 "RFC 8732: 4188 Generic Security Service Application Program Interface 4189 (GSS-API) Key Exchange with SHA-2"; 4190 } 4192 identity gss-group14-sha1-1.3.132.0.33 { 4193 base key-exchange-alg-base; 4194 status deprecated; 4195 description 4196 "GSS-GROUP14-SHA1-1.3.132.0.33 (nistp224, secp224r1)"; 4197 reference 4198 "RFC 8732: 4199 Generic Security Service Application Program Interface 4200 (GSS-API) Key Exchange with SHA-2"; 4201 } 4203 identity gss-group14-sha1-1.3.132.0.26 { 4204 base key-exchange-alg-base; 4205 status deprecated; 4206 description 4207 "GSS-GROUP14-SHA1-1.3.132.0.26 (nistk233, sect233k1)"; 4208 reference 4209 "RFC 8732: 4210 Generic Security Service Application Program Interface 4211 (GSS-API) Key Exchange with SHA-2"; 4212 } 4214 identity gss-group14-sha1-1.3.132.0.27 { 4215 base key-exchange-alg-base; 4216 status deprecated; 4217 description 4218 "GSS-GROUP14-SHA1-1.3.132.0.27 (nistb233, sect233r1)"; 4219 reference 4220 "RFC 8732: 4221 Generic Security Service Application Program Interface 4222 (GSS-API) Key Exchange with SHA-2"; 4223 } 4225 identity gss-group14-sha1-1.3.132.0.16 { 4226 base key-exchange-alg-base; 4227 status deprecated; 4228 description 4229 "GSS-GROUP14-SHA1-1.3.132.0.16 (nistk283, sect283k1)"; 4230 reference 4231 "RFC 8732: 4232 Generic Security Service Application Program Interface 4233 (GSS-API) Key Exchange with SHA-2"; 4234 } 4236 identity gss-group14-sha1-1.3.132.0.36 { 4237 base key-exchange-alg-base; 4238 status deprecated; 4239 description 4240 "GSS-GROUP14-SHA1-1.3.132.0.36 (nistk409, sect409k1)"; 4241 reference 4242 "RFC 8732: 4243 Generic Security Service Application Program Interface 4244 (GSS-API) Key Exchange with SHA-2"; 4245 } 4247 identity gss-group14-sha1-1.3.132.0.37 { 4248 base key-exchange-alg-base; 4249 status deprecated; 4250 description 4251 "GSS-GROUP14-SHA1-1.3.132.0.37 (nistb409, sect409r1)"; 4252 reference 4253 "RFC 8732: 4254 Generic Security Service Application Program Interface 4255 (GSS-API) Key Exchange with SHA-2"; 4256 } 4258 identity gss-group14-sha1-1.3.132.0.38 { 4259 base key-exchange-alg-base; 4260 status deprecated; 4261 description 4262 "GSS-GROUP14-SHA1-1.3.132.0.38 (nistt571, sect571k1)"; 4264 reference 4265 "RFC 8732: 4266 Generic Security Service Application Program Interface 4267 (GSS-API) Key Exchange with SHA-2"; 4268 } 4270 identity gss-group14-sha1-curve25519-sha256 { 4271 base key-exchange-alg-base; 4272 status deprecated; 4273 description 4274 "GSS-GROUP14-SHA1-CURVE25519-SHA256"; 4275 reference 4276 "RFC 8732: 4277 Generic Security Service Application Program Interface 4278 (GSS-API) Key Exchange with SHA-2"; 4279 } 4281 identity gss-group14-sha1-curve448-sha512 { 4282 base key-exchange-alg-base; 4283 status deprecated; 4284 description 4285 "GSS-GROUP14-SHA1-CURVE448-SHA512"; 4286 reference 4287 "RFC 8732: 4288 Generic Security Service Application Program Interface 4289 (GSS-API) Key Exchange with SHA-2"; 4290 } 4292 identity gss-gex-sha1-nistp256 { 4293 base key-exchange-alg-base; 4294 status deprecated; 4295 description 4296 "GSS-GEX-SHA1-NISTP256 (secp256r1)"; 4297 reference 4298 "RFC 8732: 4299 Generic Security Service Application Program Interface 4300 (GSS-API) Key Exchange with SHA-2"; 4301 } 4303 identity gss-gex-sha1-nistp384 { 4304 base key-exchange-alg-base; 4305 status deprecated; 4306 description 4307 "GSS-GEX-SHA1-NISTP384 (secp384r1)"; 4308 reference 4309 "RFC 8732: 4310 Generic Security Service Application Program Interface 4311 (GSS-API) Key Exchange with SHA-2"; 4313 } 4315 identity gss-gex-sha1-nistp521 { 4316 base key-exchange-alg-base; 4317 status deprecated; 4318 description 4319 "GSS-GEX-SHA1-NISTP521 (secp521r1)"; 4320 reference 4321 "RFC 8732: 4322 Generic Security Service Application Program Interface 4323 (GSS-API) Key Exchange with SHA-2"; 4324 } 4326 identity gss-gex-sha1-1.3.132.0.1 { 4327 base key-exchange-alg-base; 4328 status deprecated; 4329 description 4330 "GSS-GEX-SHA1-1.3.132.0.1 (nistk163, sect163k1)"; 4331 reference 4332 "RFC 8732: 4333 Generic Security Service Application Program Interface 4334 (GSS-API) Key Exchange with SHA-2"; 4335 } 4337 identity gss-gex-sha1-1.2.840.10045.3.1.1 { 4338 base key-exchange-alg-base; 4339 status deprecated; 4340 description 4341 "GSS-GEX-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4342 reference 4343 "RFC 8732: 4344 Generic Security Service Application Program Interface 4345 (GSS-API) Key Exchange with SHA-2"; 4346 } 4348 identity gss-gex-sha1-1.3.132.0.33 { 4349 base key-exchange-alg-base; 4350 status deprecated; 4351 description 4352 "GSS-GEX-SHA1-1.3.132.0.33 (nistp224, secp224r1)"; 4353 reference 4354 "RFC 8732: 4355 Generic Security Service Application Program Interface 4356 (GSS-API) Key Exchange with SHA-2"; 4357 } 4359 identity gss-gex-sha1-1.3.132.0.26 { 4360 base key-exchange-alg-base; 4361 status deprecated; 4362 description 4363 "GSS-GEX-SHA1-1.3.132.0.26 (nistk233, sect233k1)"; 4364 reference 4365 "RFC 8732: 4366 Generic Security Service Application Program Interface 4367 (GSS-API) Key Exchange with SHA-2"; 4368 } 4370 identity gss-gex-sha1-1.3.132.0.27 { 4371 base key-exchange-alg-base; 4372 status deprecated; 4373 description 4374 "GSS-GEX-SHA1-1.3.132.0.27 (nistb233, sect233r1)"; 4375 reference 4376 "RFC 8732: 4377 Generic Security Service Application Program Interface 4378 (GSS-API) Key Exchange with SHA-2"; 4379 } 4381 identity gss-gex-sha1-1.3.132.0.16 { 4382 base key-exchange-alg-base; 4383 status deprecated; 4384 description 4385 "GSS-GEX-SHA1-1.3.132.0.16 (nistk283, sect283k1)"; 4386 reference 4387 "RFC 8732: 4388 Generic Security Service Application Program Interface 4389 (GSS-API) Key Exchange with SHA-2"; 4390 } 4392 identity gss-gex-sha1-1.3.132.0.36 { 4393 base key-exchange-alg-base; 4394 status deprecated; 4395 description 4396 "GSS-GEX-SHA1-1.3.132.0.36 (nistk409, sect409k1)"; 4397 reference 4398 "RFC 8732: 4399 Generic Security Service Application Program Interface 4400 (GSS-API) Key Exchange with SHA-2"; 4401 } 4403 identity gss-gex-sha1-1.3.132.0.37 { 4404 base key-exchange-alg-base; 4405 status deprecated; 4406 description 4407 "GSS-GEX-SHA1-1.3.132.0.37 (nistb409, sect409r1)"; 4408 reference 4409 "RFC 8732: 4410 Generic Security Service Application Program Interface 4411 (GSS-API) Key Exchange with SHA-2"; 4412 } 4414 identity gss-gex-sha1-1.3.132.0.38 { 4415 base key-exchange-alg-base; 4416 status deprecated; 4417 description 4418 "GSS-GEX-SHA1-1.3.132.0.38 (nistt571, sect571k1)"; 4419 reference 4420 "RFC 8732: 4421 Generic Security Service Application Program Interface 4422 (GSS-API) Key Exchange with SHA-2"; 4423 } 4425 identity gss-gex-sha1-curve25519-sha256 { 4426 base key-exchange-alg-base; 4427 status deprecated; 4428 description 4429 "GSS-GEX-SHA1-CURVE25519-SHA256"; 4430 reference 4431 "RFC 8732: 4432 Generic Security Service Application Program Interface 4433 (GSS-API) Key Exchange with SHA-2"; 4434 } 4436 identity gss-gex-sha1-curve448-sha512 { 4437 base key-exchange-alg-base; 4438 status deprecated; 4439 description 4440 "GSS-GEX-SHA1-CURVE448-SHA512"; 4441 reference 4442 "RFC 8732: 4443 Generic Security Service Application Program Interface 4444 (GSS-API) Key Exchange with SHA-2"; 4445 } 4447 identity rsa1024-sha1 { 4448 base key-exchange-alg-base; 4449 description 4450 "RSA1024-SHA1"; 4451 reference 4452 "RFC 4432: 4453 RSA Key Exchange for the Secure Shell (SSH) 4454 Transport Layer Protocol"; 4455 } 4456 identity rsa2048-sha256 { 4457 base key-exchange-alg-base; 4458 description 4459 "RSA2048-SHA256"; 4460 reference 4461 "RFC 4432: 4462 RSA Key Exchange for the Secure Shell (SSH) 4463 Transport Layer Protocol"; 4464 } 4466 identity ext-info-s { 4467 base key-exchange-alg-base; 4468 description 4469 "EXT-INFO-S"; 4470 reference 4471 "RFC 8308: 4472 Extension Negotiation in the Secure Shell (SSH) Protocol"; 4473 } 4475 identity ext-info-c { 4476 base key-exchange-alg-base; 4477 description 4478 "EXT-INFO-C"; 4479 reference 4480 "RFC 8308: 4481 Extension Negotiation in the Secure Shell (SSH) Protocol"; 4482 } 4484 identity gss-group14-sha256-nistp256 { 4485 base key-exchange-alg-base; 4486 description 4487 "GSS-GROUP14-SHA256-NISTP256 (secp256r1)"; 4488 reference 4489 "RFC 8732: 4490 Generic Security Service Application Program Interface 4491 (GSS-API) Key Exchange with SHA-2"; 4492 } 4494 identity gss-group14-sha256-nistp384 { 4495 base key-exchange-alg-base; 4496 description 4497 "GSS-GROUP14-SHA256-NISTP384 (secp384r1)"; 4498 reference 4499 "RFC 8732: 4500 Generic Security Service Application Program Interface 4501 (GSS-API) Key Exchange with SHA-2"; 4502 } 4503 identity gss-group14-sha256-nistp521 { 4504 base key-exchange-alg-base; 4505 description 4506 "GSS-GROUP14-SHA256-NISTP521 (secp521r1)"; 4507 reference 4508 "RFC 8732: 4509 Generic Security Service Application Program Interface 4510 (GSS-API) Key Exchange with SHA-2"; 4511 } 4513 identity gss-group14-sha256-1.3.132.0.1 { 4514 base key-exchange-alg-base; 4515 description 4516 "GSS-GROUP14-SHA256-1.3.132.0.1 (nistk163, sect163k1)"; 4517 reference 4518 "RFC 8732: 4519 Generic Security Service Application Program Interface 4520 (GSS-API) Key Exchange with SHA-2"; 4521 } 4523 identity gss-group14-sha256-1.2.840.10045.3.1.1 { 4524 base key-exchange-alg-base; 4525 description 4526 "GSS-GROUP14-SHA256-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4527 reference 4528 "RFC 8732: 4529 Generic Security Service Application Program Interface 4530 (GSS-API) Key Exchange with SHA-2"; 4531 } 4533 identity gss-group14-sha256-1.3.132.0.33 { 4534 base key-exchange-alg-base; 4535 description 4536 "GSS-GROUP14-SHA256-1.3.132.0.33 (nistp224, secp224r1)"; 4537 reference 4538 "RFC 8732: 4539 Generic Security Service Application Program Interface 4540 (GSS-API) Key Exchange with SHA-2"; 4541 } 4543 identity gss-group14-sha256-1.3.132.0.26 { 4544 base key-exchange-alg-base; 4545 description 4546 "GSS-GROUP14-SHA256-1.3.132.0.26 (nistk233, sect233k1)"; 4547 reference 4548 "RFC 8732: 4549 Generic Security Service Application Program Interface 4550 (GSS-API) Key Exchange with SHA-2"; 4552 } 4554 identity gss-group14-sha256-1.3.132.0.27 { 4555 base key-exchange-alg-base; 4556 description 4557 "GSS-GROUP14-SHA256-1.3.132.0.27 (nistb233, sect233r1)"; 4558 reference 4559 "RFC 8732: 4560 Generic Security Service Application Program Interface 4561 (GSS-API) Key Exchange with SHA-2"; 4562 } 4564 identity gss-group14-sha256-1.3.132.0.16 { 4565 base key-exchange-alg-base; 4566 description 4567 "GSS-GROUP14-SHA256-1.3.132.0.16 (nistk283, sect283k1)"; 4568 reference 4569 "RFC 8732: 4570 Generic Security Service Application Program Interface 4571 (GSS-API) Key Exchange with SHA-2"; 4572 } 4574 identity gss-group14-sha256-1.3.132.0.36 { 4575 base key-exchange-alg-base; 4576 description 4577 "GSS-GROUP14-SHA256-1.3.132.0.36 (nistk409, sect409k1)"; 4578 reference 4579 "RFC 8732: 4580 Generic Security Service Application Program Interface 4581 (GSS-API) Key Exchange with SHA-2"; 4582 } 4584 identity gss-group14-sha256-1.3.132.0.37 { 4585 base key-exchange-alg-base; 4586 description 4587 "GSS-GROUP14-SHA256-1.3.132.0.37 (nistb409, sect409r1)"; 4588 reference 4589 "RFC 8732: 4590 Generic Security Service Application Program Interface 4591 (GSS-API) Key Exchange with SHA-2"; 4592 } 4594 identity gss-group14-sha256-1.3.132.0.38 { 4595 base key-exchange-alg-base; 4596 description 4597 "GSS-GROUP14-SHA256-1.3.132.0.38 (nistt571, sect571k1)"; 4598 reference 4599 "RFC 8732: 4601 Generic Security Service Application Program Interface 4602 (GSS-API) Key Exchange with SHA-2"; 4603 } 4605 identity gss-group14-sha256-curve25519-sha256 { 4606 base key-exchange-alg-base; 4607 description 4608 "GSS-GROUP14-SHA256-CURVE25519-SHA256"; 4609 reference 4610 "RFC 8732: 4611 Generic Security Service Application Program Interface 4612 (GSS-API) Key Exchange with SHA-2"; 4613 } 4615 identity gss-group14-sha256-curve448-sha512 { 4616 base key-exchange-alg-base; 4617 description 4618 "GSS-GROUP14-SHA256-CURVE448-SHA512"; 4619 reference 4620 "RFC 8732: 4621 Generic Security Service Application Program Interface 4622 (GSS-API) Key Exchange with SHA-2"; 4623 } 4625 identity gss-group15-sha512-nistp256 { 4626 base key-exchange-alg-base; 4627 description 4628 "GSS-GROUP15-SHA512-NISTP256 (secp256r1)"; 4629 reference 4630 "RFC 8732: 4631 Generic Security Service Application Program Interface 4632 (GSS-API) Key Exchange with SHA-2"; 4633 } 4635 identity gss-group15-sha512-nistp384 { 4636 base key-exchange-alg-base; 4637 description 4638 "GSS-GROUP15-SHA512-NISTP384 (secp384r1)"; 4639 reference 4640 "RFC 8732: 4641 Generic Security Service Application Program Interface 4642 (GSS-API) Key Exchange with SHA-2"; 4643 } 4645 identity gss-group15-sha512-nistp521 { 4646 base key-exchange-alg-base; 4647 description 4648 "GSS-GROUP15-SHA512-NISTP521 (secp521r1)"; 4650 reference 4651 "RFC 8732: 4652 Generic Security Service Application Program Interface 4653 (GSS-API) Key Exchange with SHA-2"; 4654 } 4656 identity gss-group15-sha512-1.3.132.0.1 { 4657 base key-exchange-alg-base; 4658 description 4659 "GSS-GROUP15-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 4660 reference 4661 "RFC 8732: 4662 Generic Security Service Application Program Interface 4663 (GSS-API) Key Exchange with SHA-2"; 4664 } 4666 identity gss-group15-sha512-1.2.840.10045.3.1.1 { 4667 base key-exchange-alg-base; 4668 description 4669 "GSS-GROUP15-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4670 reference 4671 "RFC 8732: 4672 Generic Security Service Application Program Interface 4673 (GSS-API) Key Exchange with SHA-2"; 4674 } 4676 identity gss-group15-sha512-1.3.132.0.33 { 4677 base key-exchange-alg-base; 4678 description 4679 "GSS-GROUP15-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 4680 reference 4681 "RFC 8732: 4682 Generic Security Service Application Program Interface 4683 (GSS-API) Key Exchange with SHA-2"; 4684 } 4686 identity gss-group15-sha512-1.3.132.0.26 { 4687 base key-exchange-alg-base; 4688 description 4689 "GSS-GROUP15-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 4690 reference 4691 "RFC 8732: 4692 Generic Security Service Application Program Interface 4693 (GSS-API) Key Exchange with SHA-2"; 4694 } 4696 identity gss-group15-sha512-1.3.132.0.27 { 4697 base key-exchange-alg-base; 4698 description 4699 "GSS-GROUP15-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 4700 reference 4701 "RFC 8732: 4702 Generic Security Service Application Program Interface 4703 (GSS-API) Key Exchange with SHA-2"; 4704 } 4706 identity gss-group15-sha512-1.3.132.0.16 { 4707 base key-exchange-alg-base; 4708 description 4709 "GSS-GROUP15-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 4710 reference 4711 "RFC 8732: 4712 Generic Security Service Application Program Interface 4713 (GSS-API) Key Exchange with SHA-2"; 4714 } 4716 identity gss-group15-sha512-1.3.132.0.36 { 4717 base key-exchange-alg-base; 4718 description 4719 "GSS-GROUP15-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 4720 reference 4721 "RFC 8732: 4722 Generic Security Service Application Program Interface 4723 (GSS-API) Key Exchange with SHA-2"; 4724 } 4726 identity gss-group15-sha512-1.3.132.0.37 { 4727 base key-exchange-alg-base; 4728 description 4729 "GSS-GROUP15-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 4730 reference 4731 "RFC 8732: 4732 Generic Security Service Application Program Interface 4733 (GSS-API) Key Exchange with SHA-2"; 4734 } 4736 identity gss-group15-sha512-1.3.132.0.38 { 4737 base key-exchange-alg-base; 4738 description 4739 "GSS-GROUP15-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 4740 reference 4741 "RFC 8732: 4742 Generic Security Service Application Program Interface 4743 (GSS-API) Key Exchange with SHA-2"; 4744 } 4745 identity gss-group15-sha512-curve25519-sha256 { 4746 base key-exchange-alg-base; 4747 description 4748 "GSS-GROUP15-SHA512-CURVE25519-SHA256"; 4749 reference 4750 "RFC 8732: 4751 Generic Security Service Application Program Interface 4752 (GSS-API) Key Exchange with SHA-2"; 4753 } 4755 identity gss-group15-sha512-curve448-sha512 { 4756 base key-exchange-alg-base; 4757 description 4758 "GSS-GROUP15-SHA512-CURVE448-SHA512"; 4759 reference 4760 "RFC 8732: 4761 Generic Security Service Application Program Interface 4762 (GSS-API) Key Exchange with SHA-2"; 4763 } 4765 identity gss-group16-sha512-nistp256 { 4766 base key-exchange-alg-base; 4767 description 4768 "GSS-GROUP16-SHA512-NISTP256 (secp256r1)"; 4769 reference 4770 "RFC 8732: 4771 Generic Security Service Application Program Interface 4772 (GSS-API) Key Exchange with SHA-2"; 4773 } 4775 identity gss-group16-sha512-nistp384 { 4776 base key-exchange-alg-base; 4777 description 4778 "GSS-GROUP16-SHA512-NISTP384 (secp384r1)"; 4779 reference 4780 "RFC 8732: 4781 Generic Security Service Application Program Interface 4782 (GSS-API) Key Exchange with SHA-2"; 4783 } 4785 identity gss-group16-sha512-nistp521 { 4786 base key-exchange-alg-base; 4787 description 4788 "GSS-GROUP16-SHA512-NISTP521 (secp521r1)"; 4789 reference 4790 "RFC 8732: 4791 Generic Security Service Application Program Interface 4792 (GSS-API) Key Exchange with SHA-2"; 4794 } 4796 identity gss-group16-sha512-1.3.132.0.1 { 4797 base key-exchange-alg-base; 4798 description 4799 "GSS-GROUP16-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 4800 reference 4801 "RFC 8732: 4802 Generic Security Service Application Program Interface 4803 (GSS-API) Key Exchange with SHA-2"; 4804 } 4806 identity gss-group16-sha512-1.2.840.10045.3.1.1 { 4807 base key-exchange-alg-base; 4808 description 4809 "GSS-GROUP16-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4810 reference 4811 "RFC 8732: 4812 Generic Security Service Application Program Interface 4813 (GSS-API) Key Exchange with SHA-2"; 4814 } 4816 identity gss-group16-sha512-1.3.132.0.33 { 4817 base key-exchange-alg-base; 4818 description 4819 "GSS-GROUP16-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 4820 reference 4821 "RFC 8732: 4822 Generic Security Service Application Program Interface 4823 (GSS-API) Key Exchange with SHA-2"; 4824 } 4826 identity gss-group16-sha512-1.3.132.0.26 { 4827 base key-exchange-alg-base; 4828 description 4829 "GSS-GROUP16-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 4830 reference 4831 "RFC 8732: 4832 Generic Security Service Application Program Interface 4833 (GSS-API) Key Exchange with SHA-2"; 4834 } 4836 identity gss-group16-sha512-1.3.132.0.27 { 4837 base key-exchange-alg-base; 4838 description 4839 "GSS-GROUP16-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 4840 reference 4841 "RFC 8732: 4843 Generic Security Service Application Program Interface 4844 (GSS-API) Key Exchange with SHA-2"; 4845 } 4847 identity gss-group16-sha512-1.3.132.0.16 { 4848 base key-exchange-alg-base; 4849 description 4850 "GSS-GROUP16-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 4851 reference 4852 "RFC 8732: 4853 Generic Security Service Application Program Interface 4854 (GSS-API) Key Exchange with SHA-2"; 4855 } 4857 identity gss-group16-sha512-1.3.132.0.36 { 4858 base key-exchange-alg-base; 4859 description 4860 "GSS-GROUP16-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 4861 reference 4862 "RFC 8732: 4863 Generic Security Service Application Program Interface 4864 (GSS-API) Key Exchange with SHA-2"; 4865 } 4867 identity gss-group16-sha512-1.3.132.0.37 { 4868 base key-exchange-alg-base; 4869 description 4870 "GSS-GROUP16-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 4871 reference 4872 "RFC 8732: 4873 Generic Security Service Application Program Interface 4874 (GSS-API) Key Exchange with SHA-2"; 4875 } 4877 identity gss-group16-sha512-1.3.132.0.38 { 4878 base key-exchange-alg-base; 4879 description 4880 "GSS-GROUP16-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 4881 reference 4882 "RFC 8732: 4883 Generic Security Service Application Program Interface 4884 (GSS-API) Key Exchange with SHA-2"; 4885 } 4887 identity gss-group16-sha512-curve25519-sha256 { 4888 base key-exchange-alg-base; 4889 description 4890 "GSS-GROUP16-SHA512-CURVE25519-SHA256"; 4892 reference 4893 "RFC 8732: 4894 Generic Security Service Application Program Interface 4895 (GSS-API) Key Exchange with SHA-2"; 4896 } 4898 identity gss-group16-sha512-curve448-sha512 { 4899 base key-exchange-alg-base; 4900 description 4901 "GSS-GROUP16-SHA512-CURVE448-SHA512"; 4902 reference 4903 "RFC 8732: 4904 Generic Security Service Application Program Interface 4905 (GSS-API) Key Exchange with SHA-2"; 4906 } 4908 identity gss-group17-sha512-nistp256 { 4909 base key-exchange-alg-base; 4910 description 4911 "GSS-GROUP17-SHA512-NISTP256 (secp256r1)"; 4912 reference 4913 "RFC 8732: 4914 Generic Security Service Application Program Interface 4915 (GSS-API) Key Exchange with SHA-2"; 4916 } 4918 identity gss-group17-sha512-nistp384 { 4919 base key-exchange-alg-base; 4920 description 4921 "GSS-GROUP17-SHA512-NISTP384 (secp384r1)"; 4922 reference 4923 "RFC 8732: 4924 Generic Security Service Application Program Interface 4925 (GSS-API) Key Exchange with SHA-2"; 4926 } 4928 identity gss-group17-sha512-nistp521 { 4929 base key-exchange-alg-base; 4930 description 4931 "GSS-GROUP17-SHA512-NISTP521 (secp521r1)"; 4932 reference 4933 "RFC 8732: 4934 Generic Security Service Application Program Interface 4935 (GSS-API) Key Exchange with SHA-2"; 4936 } 4938 identity gss-group17-sha512-1.3.132.0.1 { 4939 base key-exchange-alg-base; 4940 description 4941 "GSS-GROUP17-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 4942 reference 4943 "RFC 8732: 4944 Generic Security Service Application Program Interface 4945 (GSS-API) Key Exchange with SHA-2"; 4946 } 4948 identity gss-group17-sha512-1.2.840.10045.3.1.1 { 4949 base key-exchange-alg-base; 4950 description 4951 "GSS-GROUP17-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4952 reference 4953 "RFC 8732: 4954 Generic Security Service Application Program Interface 4955 (GSS-API) Key Exchange with SHA-2"; 4956 } 4958 identity gss-group17-sha512-1.3.132.0.33 { 4959 base key-exchange-alg-base; 4960 description 4961 "GSS-GROUP17-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 4962 reference 4963 "RFC 8732: 4964 Generic Security Service Application Program Interface 4965 (GSS-API) Key Exchange with SHA-2"; 4966 } 4968 identity gss-group17-sha512-1.3.132.0.26 { 4969 base key-exchange-alg-base; 4970 description 4971 "GSS-GROUP17-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 4972 reference 4973 "RFC 8732: 4974 Generic Security Service Application Program Interface 4975 (GSS-API) Key Exchange with SHA-2"; 4976 } 4978 identity gss-group17-sha512-1.3.132.0.27 { 4979 base key-exchange-alg-base; 4980 description 4981 "GSS-GROUP17-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 4982 reference 4983 "RFC 8732: 4984 Generic Security Service Application Program Interface 4985 (GSS-API) Key Exchange with SHA-2"; 4986 } 4987 identity gss-group17-sha512-1.3.132.0.16 { 4988 base key-exchange-alg-base; 4989 description 4990 "GSS-GROUP17-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 4991 reference 4992 "RFC 8732: 4993 Generic Security Service Application Program Interface 4994 (GSS-API) Key Exchange with SHA-2"; 4995 } 4997 identity gss-group17-sha512-1.3.132.0.36 { 4998 base key-exchange-alg-base; 4999 description 5000 "GSS-GROUP17-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5001 reference 5002 "RFC 8732: 5003 Generic Security Service Application Program Interface 5004 (GSS-API) Key Exchange with SHA-2"; 5005 } 5007 identity gss-group17-sha512-1.3.132.0.37 { 5008 base key-exchange-alg-base; 5009 description 5010 "GSS-GROUP17-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5011 reference 5012 "RFC 8732: 5013 Generic Security Service Application Program Interface 5014 (GSS-API) Key Exchange with SHA-2"; 5015 } 5017 identity gss-group17-sha512-1.3.132.0.38 { 5018 base key-exchange-alg-base; 5019 description 5020 "GSS-GROUP17-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5021 reference 5022 "RFC 8732: 5023 Generic Security Service Application Program Interface 5024 (GSS-API) Key Exchange with SHA-2"; 5025 } 5027 identity gss-group17-sha512-curve25519-sha256 { 5028 base key-exchange-alg-base; 5029 description 5030 "GSS-GROUP17-SHA512-CURVE25519-SHA256"; 5031 reference 5032 "RFC 8732: 5033 Generic Security Service Application Program Interface 5034 (GSS-API) Key Exchange with SHA-2"; 5036 } 5038 identity gss-group17-sha512-curve448-sha512 { 5039 base key-exchange-alg-base; 5040 description 5041 "GSS-GROUP17-SHA512-CURVE448-SHA512"; 5042 reference 5043 "RFC 8732: 5044 Generic Security Service Application Program Interface 5045 (GSS-API) Key Exchange with SHA-2"; 5046 } 5048 identity gss-group18-sha512-nistp256 { 5049 base key-exchange-alg-base; 5050 description 5051 "GSS-GROUP18-SHA512-NISTP256 (secp256r1)"; 5052 reference 5053 "RFC 8732: 5054 Generic Security Service Application Program Interface 5055 (GSS-API) Key Exchange with SHA-2"; 5056 } 5058 identity gss-group18-sha512-nistp384 { 5059 base key-exchange-alg-base; 5060 description 5061 "GSS-GROUP18-SHA512-NISTP384 (secp384r1)"; 5062 reference 5063 "RFC 8732: 5064 Generic Security Service Application Program Interface 5065 (GSS-API) Key Exchange with SHA-2"; 5066 } 5068 identity gss-group18-sha512-nistp521 { 5069 base key-exchange-alg-base; 5070 description 5071 "GSS-GROUP18-SHA512-NISTP521 (secp521r1)"; 5072 reference 5073 "RFC 8732: 5074 Generic Security Service Application Program Interface 5075 (GSS-API) Key Exchange with SHA-2"; 5076 } 5078 identity gss-group18-sha512-1.3.132.0.1 { 5079 base key-exchange-alg-base; 5080 description 5081 "GSS-GROUP18-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 5082 reference 5083 "RFC 8732: 5085 Generic Security Service Application Program Interface 5086 (GSS-API) Key Exchange with SHA-2"; 5087 } 5089 identity gss-group18-sha512-1.2.840.10045.3.1.1 { 5090 base key-exchange-alg-base; 5091 description 5092 "GSS-GROUP18-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5093 reference 5094 "RFC 8732: 5095 Generic Security Service Application Program Interface 5096 (GSS-API) Key Exchange with SHA-2"; 5097 } 5099 identity gss-group18-sha512-1.3.132.0.33 { 5100 base key-exchange-alg-base; 5101 description 5102 "GSS-GROUP18-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 5103 reference 5104 "RFC 8732: 5105 Generic Security Service Application Program Interface 5106 (GSS-API) Key Exchange with SHA-2"; 5107 } 5109 identity gss-group18-sha512-1.3.132.0.26 { 5110 base key-exchange-alg-base; 5111 description 5112 "GSS-GROUP18-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 5113 reference 5114 "RFC 8732: 5115 Generic Security Service Application Program Interface 5116 (GSS-API) Key Exchange with SHA-2"; 5117 } 5119 identity gss-group18-sha512-1.3.132.0.27 { 5120 base key-exchange-alg-base; 5121 description 5122 "GSS-GROUP18-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 5123 reference 5124 "RFC 8732: 5125 Generic Security Service Application Program Interface 5126 (GSS-API) Key Exchange with SHA-2"; 5127 } 5129 identity gss-group18-sha512-1.3.132.0.16 { 5130 base key-exchange-alg-base; 5131 description 5132 "GSS-GROUP18-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5134 reference 5135 "RFC 8732: 5136 Generic Security Service Application Program Interface 5137 (GSS-API) Key Exchange with SHA-2"; 5138 } 5140 identity gss-group18-sha512-1.3.132.0.36 { 5141 base key-exchange-alg-base; 5142 description 5143 "GSS-GROUP18-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5144 reference 5145 "RFC 8732: 5146 Generic Security Service Application Program Interface 5147 (GSS-API) Key Exchange with SHA-2"; 5148 } 5150 identity gss-group18-sha512-1.3.132.0.37 { 5151 base key-exchange-alg-base; 5152 description 5153 "GSS-GROUP18-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5154 reference 5155 "RFC 8732: 5156 Generic Security Service Application Program Interface 5157 (GSS-API) Key Exchange with SHA-2"; 5158 } 5160 identity gss-group18-sha512-1.3.132.0.38 { 5161 base key-exchange-alg-base; 5162 description 5163 "GSS-GROUP18-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5164 reference 5165 "RFC 8732: 5166 Generic Security Service Application Program Interface 5167 (GSS-API) Key Exchange with SHA-2"; 5168 } 5170 identity gss-group18-sha512-curve25519-sha256 { 5171 base key-exchange-alg-base; 5172 description 5173 "GSS-GROUP18-SHA512-CURVE25519-SHA256"; 5174 reference 5175 "RFC 8732: 5176 Generic Security Service Application Program Interface 5177 (GSS-API) Key Exchange with SHA-2"; 5178 } 5180 identity gss-group18-sha512-curve448-sha512 { 5181 base key-exchange-alg-base; 5182 description 5183 "GSS-GROUP18-SHA512-CURVE448-SHA512"; 5184 reference 5185 "RFC 8732: 5186 Generic Security Service Application Program Interface 5187 (GSS-API) Key Exchange with SHA-2"; 5188 } 5190 identity gss-nistp256-sha256-nistp256 { 5191 base key-exchange-alg-base; 5192 description 5193 "GSS-NISTP256-SHA256-NISTP256 (secp256r1)"; 5194 reference 5195 "RFC 8732: 5196 Generic Security Service Application Program Interface 5197 (GSS-API) Key Exchange with SHA-2"; 5198 } 5200 identity gss-nistp256-sha256-nistp384 { 5201 base key-exchange-alg-base; 5202 description 5203 "GSS-NISTP256-SHA256-NISTP384 (secp384r1)"; 5204 reference 5205 "RFC 8732: 5206 Generic Security Service Application Program Interface 5207 (GSS-API) Key Exchange with SHA-2"; 5208 } 5210 identity gss-nistp256-sha256-nistp521 { 5211 base key-exchange-alg-base; 5212 description 5213 "GSS-NISTP256-SHA256-NISTP521 (secp521r1)"; 5214 reference 5215 "RFC 8732: 5216 Generic Security Service Application Program Interface 5217 (GSS-API) Key Exchange with SHA-2"; 5218 } 5220 identity gss-nistp256-sha256-1.3.132.0.1 { 5221 base key-exchange-alg-base; 5222 description 5223 "GSS-NISTP256-SHA256-1.3.132.0.1 (nistk163, sect163k1)"; 5224 reference 5225 "RFC 8732: 5226 Generic Security Service Application Program Interface 5227 (GSS-API) Key Exchange with SHA-2"; 5228 } 5229 identity gss-nistp256-sha256-1.2.840.10045.3.1.1 { 5230 base key-exchange-alg-base; 5231 description 5232 "GSS-NISTP256-SHA256-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5233 reference 5234 "RFC 8732: 5235 Generic Security Service Application Program Interface 5236 (GSS-API) Key Exchange with SHA-2"; 5237 } 5239 identity gss-nistp256-sha256-1.3.132.0.33 { 5240 base key-exchange-alg-base; 5241 description 5242 "GSS-NISTP256-SHA256-1.3.132.0.33 (nistp224, secp224r1)"; 5243 reference 5244 "RFC 8732: 5245 Generic Security Service Application Program Interface 5246 (GSS-API) Key Exchange with SHA-2"; 5247 } 5249 identity gss-nistp256-sha256-1.3.132.0.26 { 5250 base key-exchange-alg-base; 5251 description 5252 "GSS-NISTP256-SHA256-1.3.132.0.26 (nistk233, sect233k1)"; 5253 reference 5254 "RFC 8732: 5255 Generic Security Service Application Program Interface 5256 (GSS-API) Key Exchange with SHA-2"; 5257 } 5259 identity gss-nistp256-sha256-1.3.132.0.27 { 5260 base key-exchange-alg-base; 5261 description 5262 "GSS-NISTP256-SHA256-1.3.132.0.27 (nistb233, sect233r1)"; 5263 reference 5264 "RFC 8732: 5265 Generic Security Service Application Program Interface 5266 (GSS-API) Key Exchange with SHA-2"; 5267 } 5269 identity gss-nistp256-sha256-1.3.132.0.16 { 5270 base key-exchange-alg-base; 5271 description 5272 "GSS-NISTP256-SHA256-1.3.132.0.16 (nistk283, sect283k1)"; 5273 reference 5274 "RFC 8732: 5275 Generic Security Service Application Program Interface 5276 (GSS-API) Key Exchange with SHA-2"; 5278 } 5280 identity gss-nistp256-sha256-1.3.132.0.36 { 5281 base key-exchange-alg-base; 5282 description 5283 "GSS-NISTP256-SHA256-1.3.132.0.36 (nistk409, sect409k1)"; 5284 reference 5285 "RFC 8732: 5286 Generic Security Service Application Program Interface 5287 (GSS-API) Key Exchange with SHA-2"; 5288 } 5290 identity gss-nistp256-sha256-1.3.132.0.37 { 5291 base key-exchange-alg-base; 5292 description 5293 "GSS-NISTP256-SHA256-1.3.132.0.37 (nistb409, sect409r1)"; 5294 reference 5295 "RFC 8732: 5296 Generic Security Service Application Program Interface 5297 (GSS-API) Key Exchange with SHA-2"; 5298 } 5300 identity gss-nistp256-sha256-1.3.132.0.38 { 5301 base key-exchange-alg-base; 5302 description 5303 "GSS-NISTP256-SHA256-1.3.132.0.38 (nistt571, sect571k1)"; 5304 reference 5305 "RFC 8732: 5306 Generic Security Service Application Program Interface 5307 (GSS-API) Key Exchange with SHA-2"; 5308 } 5310 identity gss-nistp256-sha256-curve25519-sha256 { 5311 base key-exchange-alg-base; 5312 description 5313 "GSS-NISTP256-SHA256-CURVE25519-SHA256"; 5314 reference 5315 "RFC 8732: 5316 Generic Security Service Application Program Interface 5317 (GSS-API) Key Exchange with SHA-2"; 5318 } 5320 identity gss-nistp256-sha256-curve448-sha512 { 5321 base key-exchange-alg-base; 5322 description 5323 "GSS-NISTP256-SHA256-CURVE448-SHA512"; 5324 reference 5325 "RFC 8732: 5327 Generic Security Service Application Program Interface 5328 (GSS-API) Key Exchange with SHA-2"; 5329 } 5331 identity gss-nistp384-sha384-nistp256 { 5332 base key-exchange-alg-base; 5333 description 5334 "GSS-NISTP384-SHA384-NISTP256 (secp256r1)"; 5335 reference 5336 "RFC 8732: 5337 Generic Security Service Application Program Interface 5338 (GSS-API) Key Exchange with SHA-2"; 5339 } 5341 identity gss-nistp384-sha384-nistp384 { 5342 base key-exchange-alg-base; 5343 description 5344 "GSS-NISTP384-SHA384-NISTP384 (secp384r1)"; 5345 reference 5346 "RFC 8732: 5347 Generic Security Service Application Program Interface 5348 (GSS-API) Key Exchange with SHA-2"; 5349 } 5351 identity gss-nistp384-sha384-nistp521 { 5352 base key-exchange-alg-base; 5353 description 5354 "GSS-NISTP384-SHA384-NISTP521 (secp521r1)"; 5355 reference 5356 "RFC 8732: 5357 Generic Security Service Application Program Interface 5358 (GSS-API) Key Exchange with SHA-2"; 5359 } 5361 identity gss-nistp384-sha384-1.3.132.0.1 { 5362 base key-exchange-alg-base; 5363 description 5364 "GSS-NISTP384-SHA384-1.3.132.0.1 (nistk163, sect163k1)"; 5365 reference 5366 "RFC 8732: 5367 Generic Security Service Application Program Interface 5368 (GSS-API) Key Exchange with SHA-2"; 5369 } 5371 identity gss-nistp384-sha384-1.2.840.10045.3.1.1 { 5372 base key-exchange-alg-base; 5373 description 5374 "GSS-NISTP384-SHA384-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5376 reference 5377 "RFC 8732: 5378 Generic Security Service Application Program Interface 5379 (GSS-API) Key Exchange with SHA-2"; 5380 } 5382 identity gss-nistp384-sha384-1.3.132.0.33 { 5383 base key-exchange-alg-base; 5384 description 5385 "GSS-NISTP384-SHA384-1.3.132.0.33 (nistp224, secp224r1)"; 5386 reference 5387 "RFC 8732: 5388 Generic Security Service Application Program Interface 5389 (GSS-API) Key Exchange with SHA-2"; 5390 } 5392 identity gss-nistp384-sha384-1.3.132.0.26 { 5393 base key-exchange-alg-base; 5394 description 5395 "GSS-NISTP384-SHA384-1.3.132.0.26 (nistk233, sect233k1)"; 5396 reference 5397 "RFC 8732: 5398 Generic Security Service Application Program Interface 5399 (GSS-API) Key Exchange with SHA-2"; 5400 } 5402 identity gss-nistp384-sha384-1.3.132.0.27 { 5403 base key-exchange-alg-base; 5404 description 5405 "GSS-NISTP384-SHA384-1.3.132.0.27 (nistb233, sect233r1)"; 5406 reference 5407 "RFC 8732: 5408 Generic Security Service Application Program Interface 5409 (GSS-API) Key Exchange with SHA-2"; 5410 } 5412 identity gss-nistp384-sha384-1.3.132.0.16 { 5413 base key-exchange-alg-base; 5414 description 5415 "GSS-NISTP384-SHA384-1.3.132.0.16 (nistk283, sect283k1)"; 5416 reference 5417 "RFC 8732: 5418 Generic Security Service Application Program Interface 5419 (GSS-API) Key Exchange with SHA-2"; 5420 } 5422 identity gss-nistp384-sha384-1.3.132.0.36 { 5423 base key-exchange-alg-base; 5424 description 5425 "GSS-NISTP384-SHA384-1.3.132.0.36 (nistk409, sect409k1)"; 5426 reference 5427 "RFC 8732: 5428 Generic Security Service Application Program Interface 5429 (GSS-API) Key Exchange with SHA-2"; 5430 } 5432 identity gss-nistp384-sha384-1.3.132.0.37 { 5433 base key-exchange-alg-base; 5434 description 5435 "GSS-NISTP384-SHA384-1.3.132.0.37 (nistb409, sect409r1)"; 5436 reference 5437 "RFC 8732: 5438 Generic Security Service Application Program Interface 5439 (GSS-API) Key Exchange with SHA-2"; 5440 } 5442 identity gss-nistp384-sha384-1.3.132.0.38 { 5443 base key-exchange-alg-base; 5444 description 5445 "GSS-NISTP384-SHA384-1.3.132.0.38 (nistt571, sect571k1)"; 5446 reference 5447 "RFC 8732: 5448 Generic Security Service Application Program Interface 5449 (GSS-API) Key Exchange with SHA-2"; 5450 } 5452 identity gss-nistp384-sha384-curve25519-sha256 { 5453 base key-exchange-alg-base; 5454 description 5455 "GSS-NISTP384-SHA384-CURVE25519-SHA256"; 5456 reference 5457 "RFC 8732: 5458 Generic Security Service Application Program Interface 5459 (GSS-API) Key Exchange with SHA-2"; 5460 } 5462 identity gss-nistp384-sha384-curve448-sha512 { 5463 base key-exchange-alg-base; 5464 description 5465 "GSS-NISTP384-SHA384-CURVE448-SHA512"; 5466 reference 5467 "RFC 8732: 5468 Generic Security Service Application Program Interface 5469 (GSS-API) Key Exchange with SHA-2"; 5470 } 5471 identity gss-nistp521-sha512-nistp256 { 5472 base key-exchange-alg-base; 5473 description 5474 "GSS-NISTP521-SHA512-NISTP256 (secp256r1)"; 5475 reference 5476 "RFC 8732: 5477 Generic Security Service Application Program Interface 5478 (GSS-API) Key Exchange with SHA-2"; 5479 } 5481 identity gss-nistp521-sha512-nistp384 { 5482 base key-exchange-alg-base; 5483 description 5484 "GSS-NISTP521-SHA512-NISTP384 (secp384r1)"; 5485 reference 5486 "RFC 8732: 5487 Generic Security Service Application Program Interface 5488 (GSS-API) Key Exchange with SHA-2"; 5489 } 5491 identity gss-nistp521-sha512-nistp521 { 5492 base key-exchange-alg-base; 5493 description 5494 "GSS-NISTP521-SHA512-NISTP521 (secp521r1)"; 5495 reference 5496 "RFC 8732: 5497 Generic Security Service Application Program Interface 5498 (GSS-API) Key Exchange with SHA-2"; 5499 } 5501 identity gss-nistp521-sha512-1.3.132.0.1 { 5502 base key-exchange-alg-base; 5503 description 5504 "GSS-NISTP521-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 5505 reference 5506 "RFC 8732: 5507 Generic Security Service Application Program Interface 5508 (GSS-API) Key Exchange with SHA-2"; 5509 } 5511 identity gss-nistp521-sha512-1.2.840.10045.3.1.1 { 5512 base key-exchange-alg-base; 5513 description 5514 "GSS-NISTP521-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5515 reference 5516 "RFC 8732: 5517 Generic Security Service Application Program Interface 5518 (GSS-API) Key Exchange with SHA-2"; 5520 } 5522 identity gss-nistp521-sha512-1.3.132.0.33 { 5523 base key-exchange-alg-base; 5524 description 5525 "GSS-NISTP521-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 5526 reference 5527 "RFC 8732: 5528 Generic Security Service Application Program Interface 5529 (GSS-API) Key Exchange with SHA-2"; 5530 } 5532 identity gss-nistp521-sha512-1.3.132.0.26 { 5533 base key-exchange-alg-base; 5534 description 5535 "GSS-NISTP521-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 5536 reference 5537 "RFC 8732: 5538 Generic Security Service Application Program Interface 5539 (GSS-API) Key Exchange with SHA-2"; 5540 } 5542 identity gss-nistp521-sha512-1.3.132.0.27 { 5543 base key-exchange-alg-base; 5544 description 5545 "GSS-NISTP521-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 5546 reference 5547 "RFC 8732: 5548 Generic Security Service Application Program Interface 5549 (GSS-API) Key Exchange with SHA-2"; 5550 } 5552 identity gss-nistp521-sha512-1.3.132.0.16 { 5553 base key-exchange-alg-base; 5554 description 5555 "GSS-NISTP521-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5556 reference 5557 "RFC 8732: 5558 Generic Security Service Application Program Interface 5559 (GSS-API) Key Exchange with SHA-2"; 5560 } 5562 identity gss-nistp521-sha512-1.3.132.0.36 { 5563 base key-exchange-alg-base; 5564 description 5565 "GSS-NISTP521-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5566 reference 5567 "RFC 8732: 5569 Generic Security Service Application Program Interface 5570 (GSS-API) Key Exchange with SHA-2"; 5571 } 5573 identity gss-nistp521-sha512-1.3.132.0.37 { 5574 base key-exchange-alg-base; 5575 description 5576 "GSS-NISTP521-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5577 reference 5578 "RFC 8732: 5579 Generic Security Service Application Program Interface 5580 (GSS-API) Key Exchange with SHA-2"; 5581 } 5583 identity gss-nistp521-sha512-1.3.132.0.38 { 5584 base key-exchange-alg-base; 5585 description 5586 "GSS-NISTP521-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5587 reference 5588 "RFC 8732: 5589 Generic Security Service Application Program Interface 5590 (GSS-API) Key Exchange with SHA-2"; 5591 } 5593 identity gss-nistp521-sha512-curve25519-sha256 { 5594 base key-exchange-alg-base; 5595 description 5596 "GSS-NISTP521-SHA512-CURVE25519-SHA256"; 5597 reference 5598 "RFC 8732: 5599 Generic Security Service Application Program Interface 5600 (GSS-API) Key Exchange with SHA-2"; 5601 } 5603 identity gss-nistp521-sha512-curve448-sha512 { 5604 base key-exchange-alg-base; 5605 description 5606 "GSS-NISTP521-SHA512-CURVE448-SHA512"; 5607 reference 5608 "RFC 8732: 5609 Generic Security Service Application Program Interface 5610 (GSS-API) Key Exchange with SHA-2"; 5611 } 5613 identity gss-curve25519-sha256-nistp256 { 5614 base key-exchange-alg-base; 5615 description 5616 "GSS-CURVE25519-SHA256-NISTP256 (secp256r1)"; 5618 reference 5619 "RFC 8732: 5620 Generic Security Service Application Program Interface 5621 (GSS-API) Key Exchange with SHA-2"; 5622 } 5624 identity gss-curve25519-sha256-nistp384 { 5625 base key-exchange-alg-base; 5626 description 5627 "GSS-CURVE25519-SHA256-NISTP384 (secp384r1)"; 5628 reference 5629 "RFC 8732: 5630 Generic Security Service Application Program Interface 5631 (GSS-API) Key Exchange with SHA-2"; 5632 } 5634 identity gss-curve25519-sha256-nistp521 { 5635 base key-exchange-alg-base; 5636 description 5637 "GSS-CURVE25519-SHA256-NISTP521 (secp521r1)"; 5638 reference 5639 "RFC 8732: 5640 Generic Security Service Application Program Interface 5641 (GSS-API) Key Exchange with SHA-2"; 5642 } 5644 identity gss-curve25519-sha256-1.3.132.0.1 { 5645 base key-exchange-alg-base; 5646 description 5647 "GSS-CURVE25519-SHA256-1.3.132.0.1 (nistk163, sect163k1)"; 5648 reference 5649 "RFC 8732: 5650 Generic Security Service Application Program Interface 5651 (GSS-API) Key Exchange with SHA-2"; 5652 } 5654 identity gss-curve25519-sha256-1.2.840.10045.3.1.1 { 5655 base key-exchange-alg-base; 5656 description 5657 "GSS-CURVE25519-SHA256-1.2.840.10045.3.1.1 (nistp192, 5658 secp192r1)"; 5659 reference 5660 "RFC 8732: 5661 Generic Security Service Application Program Interface 5662 (GSS-API) Key Exchange with SHA-2"; 5663 } 5665 identity gss-curve25519-sha256-1.3.132.0.33 { 5666 base key-exchange-alg-base; 5667 description 5668 "GSS-CURVE25519-SHA256-1.3.132.0.33 (nistp224, secp224r1)"; 5669 reference 5670 "RFC 8732: 5671 Generic Security Service Application Program Interface 5672 (GSS-API) Key Exchange with SHA-2"; 5673 } 5675 identity gss-curve25519-sha256-1.3.132.0.26 { 5676 base key-exchange-alg-base; 5677 description 5678 "GSS-CURVE25519-SHA256-1.3.132.0.26 (nistk233, sect233k1)"; 5679 reference 5680 "RFC 8732: 5681 Generic Security Service Application Program Interface 5682 (GSS-API) Key Exchange with SHA-2"; 5683 } 5685 identity gss-curve25519-sha256-1.3.132.0.27 { 5686 base key-exchange-alg-base; 5687 description 5688 "GSS-CURVE25519-SHA256-1.3.132.0.27 (nistb233, sect233r1)"; 5689 reference 5690 "RFC 8732: 5691 Generic Security Service Application Program Interface 5692 (GSS-API) Key Exchange with SHA-2"; 5693 } 5695 identity gss-curve25519-sha256-1.3.132.0.16 { 5696 base key-exchange-alg-base; 5697 description 5698 "GSS-CURVE25519-SHA256-1.3.132.0.16 (nistk283, sect283k1)"; 5699 reference 5700 "RFC 8732: 5701 Generic Security Service Application Program Interface 5702 (GSS-API) Key Exchange with SHA-2"; 5703 } 5705 identity gss-curve25519-sha256-1.3.132.0.36 { 5706 base key-exchange-alg-base; 5707 description 5708 "GSS-CURVE25519-SHA256-1.3.132.0.36 (nistk409, sect409k1)"; 5709 reference 5710 "RFC 8732: 5711 Generic Security Service Application Program Interface 5712 (GSS-API) Key Exchange with SHA-2"; 5713 } 5714 identity gss-curve25519-sha256-1.3.132.0.37 { 5715 base key-exchange-alg-base; 5716 description 5717 "GSS-CURVE25519-SHA256-1.3.132.0.37 (nistb409, sect409r1)"; 5718 reference 5719 "RFC 8732: 5720 Generic Security Service Application Program Interface 5721 (GSS-API) Key Exchange with SHA-2"; 5722 } 5724 identity gss-curve25519-sha256-1.3.132.0.38 { 5725 base key-exchange-alg-base; 5726 description 5727 "GSS-CURVE25519-SHA256-1.3.132.0.38 (nistt571, sect571k1)"; 5728 reference 5729 "RFC 8732: 5730 Generic Security Service Application Program Interface 5731 (GSS-API) Key Exchange with SHA-2"; 5732 } 5734 identity gss-curve25519-sha256-curve25519-sha256 { 5735 base key-exchange-alg-base; 5736 description 5737 "GSS-CURVE25519-SHA256-CURVE25519-SHA256"; 5738 reference 5739 "RFC 8732: 5740 Generic Security Service Application Program Interface 5741 (GSS-API) Key Exchange with SHA-2"; 5742 } 5744 identity gss-curve25519-sha256-curve448-sha512 { 5745 base key-exchange-alg-base; 5746 description 5747 "GSS-CURVE25519-SHA256-CURVE448-SHA512"; 5748 reference 5749 "RFC 8732: 5750 Generic Security Service Application Program Interface 5751 (GSS-API) Key Exchange with SHA-2"; 5752 } 5754 identity gss-curve448-sha512-nistp256 { 5755 base key-exchange-alg-base; 5756 description 5757 "GSS-CURVE448-SHA512-NISTP256 (secp256r1)"; 5758 reference 5759 "RFC 8732: 5760 Generic Security Service Application Program Interface 5761 (GSS-API) Key Exchange with SHA-2"; 5763 } 5765 identity gss-curve448-sha512-nistp384 { 5766 base key-exchange-alg-base; 5767 description 5768 "GSS-CURVE448-SHA512-NISTP384 (secp384r1)"; 5769 reference 5770 "RFC 8732: 5771 Generic Security Service Application Program Interface 5772 (GSS-API) Key Exchange with SHA-2"; 5773 } 5775 identity gss-curve448-sha512-nistp521 { 5776 base key-exchange-alg-base; 5777 description 5778 "GSS-CURVE448-SHA512-NISTP521 (secp521r1)"; 5779 reference 5780 "RFC 8732: 5781 Generic Security Service Application Program Interface 5782 (GSS-API) Key Exchange with SHA-2"; 5783 } 5785 identity gss-curve448-sha512-1.3.132.0.1 { 5786 base key-exchange-alg-base; 5787 description 5788 "GSS-CURVE448-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 5789 reference 5790 "RFC 8732: 5791 Generic Security Service Application Program Interface 5792 (GSS-API) Key Exchange with SHA-2"; 5793 } 5795 identity gss-curve448-sha512-1.2.840.10045.3.1.1 { 5796 base key-exchange-alg-base; 5797 description 5798 "GSS-CURVE448-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5799 reference 5800 "RFC 8732: 5801 Generic Security Service Application Program Interface 5802 (GSS-API) Key Exchange with SHA-2"; 5803 } 5805 identity gss-curve448-sha512-1.3.132.0.33 { 5806 base key-exchange-alg-base; 5807 description 5808 "GSS-CURVE448-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 5809 reference 5810 "RFC 8732: 5812 Generic Security Service Application Program Interface 5813 (GSS-API) Key Exchange with SHA-2"; 5814 } 5816 identity gss-curve448-sha512-1.3.132.0.26 { 5817 base key-exchange-alg-base; 5818 description 5819 "GSS-CURVE448-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 5820 reference 5821 "RFC 8732: 5822 Generic Security Service Application Program Interface 5823 (GSS-API) Key Exchange with SHA-2"; 5824 } 5826 identity gss-curve448-sha512-1.3.132.0.27 { 5827 base key-exchange-alg-base; 5828 description 5829 "GSS-CURVE448-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 5830 reference 5831 "RFC 8732: 5832 Generic Security Service Application Program Interface 5833 (GSS-API) Key Exchange with SHA-2"; 5834 } 5836 identity gss-curve448-sha512-1.3.132.0.16 { 5837 base key-exchange-alg-base; 5838 description 5839 "GSS-CURVE448-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5840 reference 5841 "RFC 8732: 5842 Generic Security Service Application Program Interface 5843 (GSS-API) Key Exchange with SHA-2"; 5844 } 5846 identity gss-curve448-sha512-1.3.132.0.36 { 5847 base key-exchange-alg-base; 5848 description 5849 "GSS-CURVE448-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5850 reference 5851 "RFC 8732: 5852 Generic Security Service Application Program Interface 5853 (GSS-API) Key Exchange with SHA-2"; 5854 } 5856 identity gss-curve448-sha512-1.3.132.0.37 { 5857 base key-exchange-alg-base; 5858 description 5859 "GSS-CURVE448-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5861 reference 5862 "RFC 8732: 5863 Generic Security Service Application Program Interface 5864 (GSS-API) Key Exchange with SHA-2"; 5865 } 5867 identity gss-curve448-sha512-1.3.132.0.38 { 5868 base key-exchange-alg-base; 5869 description 5870 "GSS-CURVE448-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5871 reference 5872 "RFC 8732: 5873 Generic Security Service Application Program Interface 5874 (GSS-API) Key Exchange with SHA-2"; 5875 } 5877 identity gss-curve448-sha512-curve25519-sha256 { 5878 base key-exchange-alg-base; 5879 description 5880 "GSS-CURVE448-SHA512-CURVE25519-SHA256"; 5881 reference 5882 "RFC 8732: 5883 Generic Security Service Application Program Interface 5884 (GSS-API) Key Exchange with SHA-2"; 5885 } 5887 identity gss-curve448-sha512-curve448-sha512 { 5888 base key-exchange-alg-base; 5889 description 5890 "GSS-CURVE448-SHA512-CURVE448-SHA512"; 5891 reference 5892 "RFC 8732: 5893 Generic Security Service Application Program Interface 5894 (GSS-API) Key Exchange with SHA-2"; 5895 } 5897 identity curve25519-sha256 { 5898 base key-exchange-alg-base; 5899 description 5900 "CURVE25519-SHA256"; 5901 reference 5902 "RFC 8731: 5903 Secure Shell (SSH) Key Exchange Method 5904 Using Curve25519 and Curve448"; 5905 } 5907 identity curve448-sha512 { 5908 base key-exchange-alg-base; 5909 description 5910 "CURVE448-SHA512"; 5911 reference 5912 "RFC 8731: 5913 Secure Shell (SSH) Key Exchange Method 5914 Using Curve25519 and Curve448"; 5915 } 5917 // Protocol-accessible Nodes 5919 container supported-algorithms { 5920 config false; 5921 description 5922 "A container for a list of key exchange algorithms 5923 supported by the server."; 5924 leaf-list supported-algorithm { 5925 type identityref { 5926 base "sshkea:key-exchange-alg-base"; 5927 } 5928 description 5929 "A key exchange algorithm supported by the server."; 5930 } 5931 } 5933 } 5935 5937 Appendix B. Change Log 5939 This section is to be removed before publishing as an RFC. 5941 B.1. 00 to 01 5943 * Noted that '0.0.0.0' and '::' might have special meanings. 5945 * Renamed "keychain" to "keystore". 5947 B.2. 01 to 02 5949 * Removed the groupings 'listening-ssh-client-grouping' and 5950 'listening-ssh-server-grouping'. Now modules only contain the 5951 transport-independent groupings. 5953 * Simplified the "client-auth" part in the ietf-ssh-client module. 5954 It now inlines what it used to point to keystore for. 5956 * Added cipher suites for various algorithms into new 'ietf-ssh- 5957 common' module. 5959 B.3. 02 to 03 5961 * Removed 'RESTRICTED' enum from 'password' leaf type. 5963 * Added a 'must' statement to container 'server-auth' asserting that 5964 at least one of the various auth mechanisms must be specified. 5966 * Fixed description statement for leaf 'trusted-ca-certs'. 5968 B.4. 03 to 04 5970 * Change title to "YANG Groupings for SSH Clients and SSH Servers" 5972 * Added reference to RFC 6668 5974 * Added RFC 8174 to Requirements Language Section. 5976 * Enhanced description statement for ietf-ssh-server's "trusted-ca- 5977 certs" leaf. 5979 * Added mandatory true to ietf-ssh-client's "client-auth" 'choice' 5980 statement. 5982 * Changed the YANG prefix for module ietf-ssh-common from 'sshcom' 5983 to 'sshcmn'. 5985 * Removed the compression algorithms as they are not commonly 5986 configurable in vendors' implementations. 5988 * Updating descriptions in transport-params-grouping and the 5989 servers's usage of it. 5991 * Now tree diagrams reference ietf-netmod-yang-tree-diagrams 5993 * Updated YANG to use typedefs around leafrefs to common keystore 5994 paths 5996 * Now inlines key and certificates (no longer a leafref to keystore) 5998 B.5. 04 to 05 6000 * Merged changes from co-author. 6002 B.6. 05 to 06 6003 * Updated to use trust anchors from trust-anchors draft (was 6004 keystore draft) 6006 * Now uses new keystore grouping enabling asymmetric key to be 6007 either locally defined or a reference to the keystore. 6009 B.7. 06 to 07 6011 * factored the ssh-[client|server]-groupings into more reusable 6012 groupings. 6014 * added if-feature statements for the new "ssh-host-keys" and 6015 "x509-certificates" features defined in draft-ietf-netconf-trust- 6016 anchors. 6018 B.8. 07 to 08 6020 * Added a number of compatibility matrices to Section 5 (thanks 6021 Frank!) 6023 * Clarified that any configured "host-key-alg" values need to be 6024 compatible with the configured private key. 6026 B.9. 08 to 09 6028 * Updated examples to reflect update to groupings defined in the 6029 keystore -09 draft. 6031 * Add SSH keepalives features and groupings. 6033 * Prefixed top-level SSH grouping nodes with 'ssh-' and support 6034 mashups. 6036 * Updated copyright date, boilerplate template, affiliation, and 6037 folding algorithm. 6039 B.10. 09 to 10 6041 * Reformatted the YANG modules. 6043 B.11. 10 to 11 6045 * Reformatted lines causing folding to occur. 6047 B.12. 11 to 12 6049 * Collapsed all the inner groupings into the top-level grouping. 6051 * Added a top-level "demux container" inside the top-level grouping. 6053 * Added NACM statements and updated the Security Considerations 6054 section. 6056 * Added "presence" statements on the "keepalive" containers, as was 6057 needed to address a validation error that appeared after adding 6058 the "must" statements into the NETCONF/RESTCONF client/server 6059 modules. 6061 * Updated the boilerplate text in module-level "description" 6062 statement to match copyeditor convention. 6064 B.13. 12 to 13 6066 * Removed the "demux containers", floating the nacm:default-deny- 6067 write to each descendent node, and adding a note to model 6068 designers regarding the potential need to add their own demux 6069 containers. 6071 * Fixed a couple references (section 2 --> section 3) 6073 * In the server model, replaced with and introduced 'local-or-external' choice. 6076 B.14. 13 to 14 6078 * Updated to reflect changes in trust-anchors drafts (e.g., s/trust- 6079 anchors/truststore/g + s/pinned.//) 6081 B.15. 14 to 15 6083 * Updated examples to reflect ietf-crypto-types change (e.g., 6084 identities --> enumerations) 6086 * Updated "server-authentication" and "client-authentication" nodes 6087 from being a leaf of type "ts:host-keys-ref" or "ts:certificates- 6088 ref" to a container that uses "ts:local-or-truststore-host-keys- 6089 grouping" or "ts:local-or-truststore-certs-grouping". 6091 B.16. 15 to 16 6093 * Removed unnecessary if-feature statements in the -client and 6094 -server modules. 6096 * Cleaned up some description statements in the -client and -server 6097 modules. 6099 * Fixed a canonical ordering issue in ietf-ssh-common detected by 6100 new pyang. 6102 B.17. 16 to 17 6104 * Removed choice local-or-external by removing the 'external' case 6105 and flattening the 'local' case and adding a "local-users- 6106 supported" feature. 6108 * Updated examples to include the "*-key-format" nodes. 6110 * Augmented-in "must" expressions ensuring that locally-defined 6111 public-key-format are "ct:ssh-public-key-format" (must expr for 6112 ref'ed keys are TBD). 6114 B.18. 17 to 18 6116 * Removed leaf-list 'other' from ietf-ssh-server. 6118 * Removed unused 'external-client-auth-supported' feature. 6120 * Added features client-auth-password, client-auth-hostbased, and 6121 client-auth-none. 6123 * Renamed 'host-key' to 'public-key' for when refering to 6124 'publickey' based auth. 6126 * Added new feature-protected 'hostbased' and 'none' to the 'user' 6127 node's config. 6129 * Added new feature-protected 'hostbased' and 'none' to the 'client- 6130 identity' node's config. 6132 * Updated examples to reflect new "bag" addition to truststore. 6134 * Refined truststore/keystore groupings to ensure the key formats 6135 "must" be particular values. 6137 * Switched to using truststore's new "public-key" bag (instead of 6138 separate "ssh-public-key" and "raw-public-key" bags. 6140 * Updated client/server examples to cover ALL cases (local/ref x 6141 cert/raw-key/psk). 6143 B.19. 18 to 19 6145 * Updated the "keepalives" containers to address Michal Vasko's 6146 request to align with RFC 8071. 6148 * Removed algorithm-mapping tables from the "SSH Common Model" 6149 section 6151 * Removed 'algorithm' node from examples. 6153 * Added feature "userauth-publickey" 6155 * Removed "choice auth-type", as auth-types are not exclusive. 6157 * Renamed both "client-certs" and "server-certs" to "ee-certs" 6159 * Switch "must" to assert the public-key-format is "subject-public- 6160 key-info-format" when certificates are used. 6162 * Added a "Note to Reviewers" note to first page. 6164 B.20. 19 to 20 6166 * Added a "must 'public-key or password or hostbased or none or 6167 certificate'" statement to the "user" node in ietf-ssh-client 6169 * Expanded "Data Model Overview section(s) [remove "wall" of tree 6170 diagrams]. 6172 * Moved the "ietf-ssh-common" module section to proceed the other 6173 two module sections. 6175 * Updated the Security Considerations section. 6177 B.21. 20 to 21 6179 * Updated examples to reflect new "cleartext-" prefix in the crypto- 6180 types draft. 6182 B.22. 21 to 22 6184 * Cleaned up the SSH-client examples (i.e., removing FIXMEs) 6186 * Fixed issues found by the SecDir review of the "keystore" draft. 6188 * Updated the "ietf-ssh-client" module to use the new "password- 6189 grouping" grouping from the "crypto-types" module. 6191 B.23. 22 to 23 6193 * Addressed comments raised by YANG Doctor in the ct/ts/ks drafts. 6195 B.24. 23 to 24 6197 * Removed the 'supported-authentication-methods' from {grouping ssh- 6198 server-grouping}/client-authentication. 6200 * Added XML-comment above examples explaining the reason for the 6201 unexepected top-most element's presence. 6203 * Added RFC-references to various 'feature' statements. 6205 * Renamed "credentials" to "authentication methods" 6207 * Renamed "client-auth-*" to "userauth-*" 6209 * Renamed "client-identity-*" to "userauth-*" 6211 * Fixed nits found by YANG Doctor reviews. 6213 * Aligned modules with `pyang -f` formatting. 6215 * Added a 'Contributors' section. 6217 B.25. 24 to 25 6219 * Renamed "{ietf-ssh-client}userauth-*" to "client-ident-*" 6221 * Renamed "{ietf-ssh-server}userauth-*" to "local-user-auth-*" 6223 * Moved algorithms in ietf-ssh-common (plus more) to IANA-maintained 6224 modules 6226 * Added "config false" lists for algorithms supported by the server. 6228 * Fixed issues found during YANG Doctor review. 6230 Acknowledgements 6232 The authors would like to thank for following for lively discussions 6233 on list and in the halls (ordered by first name): Alan Luchuk, Andy 6234 Bierman, Balazs Kovacs, Benoit Claise, Bert Wijnen, David Lamparter, 6235 Gary Wu, Juergen Schoenwaelder, Ladislav Lhotka, Liang Xia, Martin 6236 Bjoerklund, Mehmet Ersue, Michal Vasko, Phil Shafer, Radek Krejci, 6237 Sean Turner, Tom Petch. 6239 Contributors 6241 Special acknowledgement goes to Gary Wu for his work on the "ietf- 6242 ssh-common" module. 6244 Author's Address 6246 Kent Watsen 6247 Watsen Networks 6249 Email: kent+ietf@watsen.net