idnits 2.17.1 draft-ietf-netconf-ssh-client-server-28.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 422 has weird spacing: '...-format ide...' == Line 1311 has weird spacing: '...ificate has a...' -- The document date (24 May 2022) is 703 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-netconf-crypto-types-22 == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-24 == Outdated reference: A later version (-28) exists of draft-ietf-netconf-trust-anchors-17 == Outdated reference: A later version (-20) exists of draft-ietf-netconf-http-client-server-09 == Outdated reference: A later version (-36) exists of draft-ietf-netconf-netconf-client-server-25 == Outdated reference: A later version (-36) exists of draft-ietf-netconf-restconf-client-server-25 == Outdated reference: A later version (-40) exists of draft-ietf-netconf-ssh-client-server-27 == Outdated reference: A later version (-26) exists of draft-ietf-netconf-tcp-client-server-12 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-27 Summary: 0 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track 24 May 2022 5 Expires: 25 November 2022 7 YANG Groupings for SSH Clients and SSH Servers 8 draft-ietf-netconf-ssh-client-server-28 10 Abstract 12 This document defines three YANG 1.1 modules: the first defines 13 features and groupings common to both SSH clients and SSH servers, 14 the second defines a grouping for a generic SSH client, and the third 15 defines a grouping for a generic SSH server. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains placeholder values that need to be replaced with 20 finalized values at the time of publication. This note summarizes 21 all of the substitutions that are needed. No other RFC Editor 22 instructions are specified elsewhere in this document. 24 Artwork in this document contains shorthand references to drafts in 25 progress. Please apply the following replacements: 27 * AAAA --> the assigned RFC value for draft-ietf-netconf-crypto- 28 types 30 * BBBB --> the assigned RFC value for draft-ietf-netconf-trust- 31 anchors 33 * CCCC --> the assigned RFC value for draft-ietf-netconf-keystore 35 * DDDD --> the assigned RFC value for draft-ietf-netconf-tcp-client- 36 server 38 * EEEE --> the assigned RFC value for this draft 40 Artwork in this document contains placeholder values for the date of 41 publication of this draft. Please apply the following replacement: 43 * 2022-05-24 --> the publication date of this draft 45 The following Appendix section is to be removed prior to publication: 47 * Appendix B. Change Log 49 Status of This Memo 51 This Internet-Draft is submitted in full conformance with the 52 provisions of BCP 78 and BCP 79. 54 Internet-Drafts are working documents of the Internet Engineering 55 Task Force (IETF). Note that other groups may also distribute 56 working documents as Internet-Drafts. The list of current Internet- 57 Drafts is at https://datatracker.ietf.org/drafts/current/. 59 Internet-Drafts are draft documents valid for a maximum of six months 60 and may be updated, replaced, or obsoleted by other documents at any 61 time. It is inappropriate to use Internet-Drafts as reference 62 material or to cite them other than as "work in progress." 64 This Internet-Draft will expire on 25 November 2022. 66 Copyright Notice 68 Copyright (c) 2022 IETF Trust and the persons identified as the 69 document authors. All rights reserved. 71 This document is subject to BCP 78 and the IETF Trust's Legal 72 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 73 license-info) in effect on the date of publication of this document. 74 Please review these documents carefully, as they describe your rights 75 and restrictions with respect to this document. Code Components 76 extracted from this document must include Revised BSD License text as 77 described in Section 4.e of the Trust Legal Provisions and are 78 provided without warranty as described in the Revised BSD License. 80 Table of Contents 82 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 83 1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 5 84 1.2. Specification Language . . . . . . . . . . . . . . . . . 6 85 1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6 86 1.4. Conventions . . . . . . . . . . . . . . . . . . . . . . . 6 87 2. The "ietf-ssh-common" Module . . . . . . . . . . . . . . . . 7 88 2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 7 89 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 10 90 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 12 91 3. The "ietf-ssh-client" Module . . . . . . . . . . . . . . . . 18 92 3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 18 93 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 20 94 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 24 95 4. The "ietf-ssh-server" Module . . . . . . . . . . . . . . . . 31 96 4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 31 97 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 34 98 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 38 99 5. Security Considerations . . . . . . . . . . . . . . . . . . . 46 100 5.1. The "iana-ssh-key-exchange-algs" Module . . . . . . . . . 47 101 5.2. The "iana-ssh-encryption-algs" Module . . . . . . . . . . 47 102 5.3. The "iana-ssh-mac-algs" Module . . . . . . . . . . . . . 48 103 5.4. The "iana-ssh-public-key-algs" Module . . . . . . . . . . 48 104 5.5. The "ietf-ssh-common" YANG Module . . . . . . . . . . . . 49 105 5.6. The "ietf-ssh-client" YANG Module . . . . . . . . . . . . 50 106 5.7. The "ietf-ssh-server" YANG Module . . . . . . . . . . . . 51 107 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 51 108 6.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 51 109 6.2. The "YANG Module Names" Registry . . . . . . . . . . . . 52 110 6.3. The "iana-ssh-encryption-algs" Module . . . . . . . . . . 53 111 6.4. The "iana-ssh-mac-algs" Module . . . . . . . . . . . . . 54 112 6.5. The "iana-ssh-public-key-algs" Module . . . . . . . . . . 54 113 6.6. The "iana-ssh-key-exchange-algs" Module . . . . . . . . . 55 114 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 115 7.1. Normative References . . . . . . . . . . . . . . . . . . 55 116 7.2. Informative References . . . . . . . . . . . . . . . . . 57 117 Appendix A. YANG Modules for IANA . . . . . . . . . . . . . . . 59 118 A.1. Initial Module for the "Encryption Algorithm Names" 119 Registry . . . . . . . . . . . . . . . . . . . . . . . . 59 120 A.1.1. Data Model Overview . . . . . . . . . . . . . . . . . 60 121 A.1.2. Example Usage . . . . . . . . . . . . . . . . . . . . 61 122 A.1.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 61 123 A.2. Initial Module for the "MAC Algorithm Names" Registry . . 69 124 A.2.1. Data Model Overview . . . . . . . . . . . . . . . . . 69 125 A.2.2. Example Usage . . . . . . . . . . . . . . . . . . . . 70 126 A.2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 71 127 A.3. Initial Module for the "Public Key Algorithm Names" 128 Registry . . . . . . . . . . . . . . . . . . . . . . . . 74 129 A.3.1. Data Model Overview . . . . . . . . . . . . . . . . . 74 130 A.3.2. Example Usage . . . . . . . . . . . . . . . . . . . . 76 131 A.3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 76 132 A.4. Initial Module for the "Key Exchange Method Names" 133 Registry . . . . . . . . . . . . . . . . . . . . . . . . 85 134 A.4.1. Data Model Overview . . . . . . . . . . . . . . . . . 85 135 A.4.2. Example Usage . . . . . . . . . . . . . . . . . . . . 87 136 A.4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 87 137 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 133 138 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 133 139 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 134 140 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 134 141 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 134 142 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 135 143 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 135 144 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 135 145 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 135 146 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 135 147 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 136 148 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 136 149 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 136 150 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 136 151 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 136 152 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 136 153 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 137 154 B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 137 155 B.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 137 156 B.19. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 138 157 B.20. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 138 158 B.21. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 138 159 B.22. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 139 160 B.23. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 139 161 B.24. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 139 162 B.25. 24 to 25 . . . . . . . . . . . . . . . . . . . . . . . . 139 163 B.26. 25 to 26 . . . . . . . . . . . . . . . . . . . . . . . . 140 164 B.27. 26 to 27 . . . . . . . . . . . . . . . . . . . . . . . . 140 165 B.28. 27 to 28 . . . . . . . . . . . . . . . . . . . . . . . . 140 166 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 140 167 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 140 168 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 140 170 1. Introduction 172 This document defines three YANG 1.1 [RFC7950] modules: the first 173 defines features and groupings common to both SSH clients and SSH 174 servers, the second defines a grouping for a generic SSH client, and 175 the third defines a grouping for a generic SSH server. It is 176 intended that these groupings will be used by applications using the 177 SSH protocol [RFC4252], [RFC4253], and [RFC4254]. For instance, 178 these groupings could be used to help define the data model for an 179 OpenSSH [OPENSSH] server or a NETCONF over SSH [RFC6242] based 180 server. 182 The client and server YANG modules in this document each define one 183 grouping, which is focused on just SSH-specific configuration, and 184 specifically avoids any transport-level configuration, such as what 185 ports to listen on or connect to. This affords applications the 186 opportunity to define their own strategy for how the underlying TCP 187 connection is established. For instance, applications supporting 188 NETCONF Call Home [RFC8071] could use the "ssh-server-grouping" 189 grouping for the SSH parts it provides, while adding data nodes for 190 the TCP-level call-home configuration. 192 The modules defined in this document use groupings defined in 193 [I-D.ietf-netconf-keystore] enabling keys to be either locally 194 defined or a reference to globally configured values. 196 The modules defined in this document optionally support [RFC6187] 197 enabling X.509v3 certificate based host keys and public keys. 199 1.1. Relation to other RFCs 201 This document presents one or more YANG modules [RFC7950] that are 202 part of a collection of RFCs that work together to, ultimately, 203 enable the configuration of the clients and servers of both the 204 NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. 206 The modules have been defined in a modular fashion to enable their 207 use by other efforts, some of which are known to be in progress at 208 the time of this writing, with many more expected to be defined in 209 time. 211 The normative dependency relationship between the various RFCs in the 212 collection is presented in the below diagram. The labels in the 213 diagram represent the primary purpose provided by each RFC. 214 Hyperlinks to each RFC are provided below the diagram. 216 crypto-types 217 ^ ^ 218 / \ 219 / \ 220 truststore keystore 221 ^ ^ ^ ^ 222 | +---------+ | | 223 | | | | 224 | +------------+ | 225 tcp-client-server | / | | 226 ^ ^ ssh-client-server | | 227 | | ^ tls-client-server 228 | | | ^ ^ http-client-server 229 | | | | | ^ 230 | | | +-----+ +---------+ | 231 | | | | | | 232 | +-----------|--------|--------------+ | | 233 | | | | | | 234 +-----------+ | | | | | 235 | | | | | | 236 | | | | | | 237 netconf-client-server restconf-client-server 239 +=======================+===========================================+ 240 |Label in Diagram | Originating RFC | 241 +=======================+===========================================+ 242 |crypto-types | [I-D.ietf-netconf-crypto-types] | 243 +-----------------------+-------------------------------------------+ 244 |truststore | [I-D.ietf-netconf-trust-anchors] | 245 +-----------------------+-------------------------------------------+ 246 |keystore | [I-D.ietf-netconf-keystore] | 247 +-----------------------+-------------------------------------------+ 248 |tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | 249 +-----------------------+-------------------------------------------+ 250 |ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | 251 +-----------------------+-------------------------------------------+ 252 |tls-client-server | [I-D.ietf-netconf-tls-client-server] | 253 +-----------------------+-------------------------------------------+ 254 |http-client-server | [I-D.ietf-netconf-http-client-server] | 255 +-----------------------+-------------------------------------------+ 256 |netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | 257 +-----------------------+-------------------------------------------+ 258 |restconf-client-server | [I-D.ietf-netconf-restconf-client-server] | 259 +-----------------------+-------------------------------------------+ 261 Table 1: Label to RFC Mapping 263 1.2. Specification Language 265 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 266 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 267 "OPTIONAL" in this document are to be interpreted as described in BCP 268 14 [RFC2119] [RFC8174] when, and only when, they appear in all 269 capitals, as shown here. 271 1.3. Adherence to the NMDA 273 This document is compliant with the Network Management Datastore 274 Architecture (NMDA) [RFC8342]. For instance, as described in 275 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], 276 trust anchors and keys installed during manufacturing are expected to 277 appear in . 279 1.4. Conventions 281 Various examples used in this document use a placeholder value for 282 binary data that has been base64 encoded (e.g., "BASE64VALUE="). 283 This placeholder value is used as real base64 encoded structures are 284 often many lines long and hence distracting to the example being 285 presented. 287 2. The "ietf-ssh-common" Module 289 The SSH common model presented in this section contains features and 290 groupings common to both SSH clients and SSH servers. The 291 "transport-params-grouping" grouping can be used to configure the 292 list of SSH transport algorithms permitted by the SSH client or SSH 293 server. The lists of permitted algorithms are in decreasing order of 294 usage preference. The algorithm that appears first in the client 295 list that also appears in the server list is the one that is used for 296 the SSH transport layer connection. The ability to restrict the 297 algorithms allowed is provided in this grouping for SSH clients and 298 SSH servers that are capable of doing so and may serve to make SSH 299 clients and SSH servers compliant with security policies. 301 2.1. Data Model Overview 303 This section provides an overview of the "ietf-ssh-common" module in 304 terms of its features, identities, and groupings. 306 2.1.1. Features 308 The following diagram lists all the "feature" statements defined in 309 the "ietf-ssh-common" module: 311 Features: 312 +-- ssh-x509-certs 313 +-- transport-params 314 +-- public-key-generation 316 | The diagram above uses syntax that is similar to but not 317 | defined in [RFC8340]. 319 2.1.2. Groupings 321 The "ietf-ssh-common" module defines the following "grouping" 322 statement: 324 * transport-params-grouping 326 This grouping is presented in the following subsection. 328 2.1.2.1. The "transport-params-grouping" Grouping 330 The following tree diagram [RFC8340] illustrates the "transport- 331 params-grouping" grouping: 333 grouping transport-params-grouping: 334 +-- host-key 335 | +-- host-key-alg* identityref 336 +-- key-exchange 337 | +-- key-exchange-alg* identityref 338 +-- encryption 339 | +-- encryption-alg* identityref 340 +-- mac 341 +-- mac-alg* identityref 343 Comments: 345 * This grouping is used by both the "ssh-client-grouping" and the 346 "ssh-server-grouping" groupings defined in Section 3.1.2.1 and 347 Section 4.1.2.1, respectively. 349 * This grouping enables client and server configurations to specify 350 the algorithms that are to be used when establishing SSH sessions. 352 * Each list is "ordered-by user". 354 2.1.3. Protocol-accessible Nodes 356 The following tree diagram [RFC8340] lists all the protocol- 357 accessible nodes defined in the "ietf-ssh-common" module, without 358 expanding the "grouping" statements: 360 module: ietf-ssh-common 362 rpcs: 363 +---x generate-public-key {public-key-generation}? 364 +---w input 365 | +---w algorithm sshpka:public-key-algorithm-ref 366 | +---w bits? uint16 367 | +---w (private-key-encoding)? 368 | +--:(cleartext) 369 | | +---w cleartext? empty 370 | +--:(encrypt) {ct:private-key-encryption}? 371 | | +---w encrypt-with 372 | | +---w ks:encrypted-by-choice-grouping 373 | +--:(hide) {ct:hidden-keys}? 374 | +---w hide? empty 375 +--ro output 376 +---u ct:asymmetric-key-pair-grouping 378 The following tree diagram [RFC8340] lists all the protocol- 379 accessible nodes defined in the "ietf-ssh-common" module, with all 380 "grouping" statements expanded, enabling the module's full structure 381 to be seen: 383 =============== NOTE: '\' line wrapping per RFC 8792 ================ 385 module: ietf-ssh-common 387 rpcs: 388 +---x generate-public-key {public-key-generation}? 389 +---w input 390 | +---w algorithm sshpka:public-key-algorithm-ref 391 | +---w bits? uint16 392 | +---w (private-key-encoding)? 393 | +--:(cleartext) 394 | | +---w cleartext? empty 395 | +--:(encrypt) {ct:private-key-encryption}? 396 | | +---w encrypt-with 397 | | +---w (encrypted-by-choice) 398 | | +--:(symmetric-key-ref) 399 | | | {central-keystore-supported,symmetric\ 400 -keys}? 401 | | | +---w symmetric-key-ref? 402 | | | ks:symmetric-key-ref 403 | | +--:(asymmetric-key-ref) 404 | | {central-keystore-supported,asymmetri\ 405 c-keys}? 406 | | +---w asymmetric-key-ref? 407 | | ks:asymmetric-key-ref 408 | +--:(hide) {ct:hidden-keys}? 409 | +---w hide? empty 410 +--ro output 411 +--ro public-key-format identityref 412 +--ro public-key binary 413 +--ro private-key-format? identityref 414 +--ro (private-key-type) 415 +--:(cleartext-private-key) 416 | +--ro cleartext-private-key? binary 417 +--:(hidden-private-key) {hidden-keys}? 418 | +--ro hidden-private-key? empty 419 +--:(encrypted-private-key) {private-key-encryption}? 420 +--ro encrypted-private-key 421 +--ro encrypted-by 422 +--ro encrypted-value-format identityref 423 +--ro encrypted-value binary 425 Comments: 427 * Protocol-accessible nodes are those nodes that are accessible when 428 the module is "implemented", as described in Section 5.6.5 of 429 [RFC7950]. 431 * The protocol-accessible nodes for the "ietf-ssh-common" module are 432 limited to the RPC "generate-public-key", which is additionally 433 constrained by the feature "public-key-generation". 435 * The "encrypted-by-choice-grouping" grouping is discussed in 436 Section 2.1.3.1 of [I-D.ietf-netconf-keystore]. 438 * The "asymmetric-key-pair-grouping" grouping is discussed in 439 Section 2.1.4.5 of [I-D.ietf-netconf-crypto-types]. 441 2.2. Example Usage 443 The following example illustrates the "transport-params-grouping' 444 grouping when populated with some data. 446 =============== NOTE: '\' line wrapping per RFC 8792 ================ 448 449 451 459 460 sshpka:x509v3-rsa2048-sha256 461 sshpka:ssh-rsa 462 463 464 sshkea:diffie-hellman-group-exchange-sha256 466 467 468 sshea:aes256-ctr 469 sshea:aes192-ctr 470 sshea:aes128-ctr 471 sshea:aes256-cbc 472 sshea:aes192-cbc 473 sshea:aes128-cbc 474 475 476 sshma:hmac-sha2-256 477 sshma:hmac-sha2-512 478 479 481 The following example illustrates the "generate-public-key" RPC. 483 =============== NOTE: '\' line wrapping per RFC 8792 ================ 485 487 491 sshpka:ecdsa-sha2-nistp256 492 521 493 494 hidden-asymmetric-key 495 496 497 499 2.3. YANG Module 501 This YANG module has normative references to [RFC4253], [RFC4344], 502 [RFC4419], [RFC5656], [RFC6187], and [RFC6668]. 504 file "ietf-ssh-common@2022-05-24.yang" 506 module ietf-ssh-common { 507 yang-version 1.1; 508 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; 509 prefix sshcmn; 511 import iana-ssh-encryption-algs { 512 prefix sshea; 513 reference 514 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 515 } 517 import iana-ssh-key-exchange-algs { 518 prefix sshkea; 519 reference 520 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 521 } 523 import iana-ssh-mac-algs { 524 prefix sshma; 525 reference 526 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 527 } 529 import iana-ssh-public-key-algs { 530 prefix sshpka; 531 reference 532 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 533 } 535 import ietf-crypto-types { 536 prefix ct; 537 reference 538 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 539 } 541 import ietf-keystore { 542 prefix ks; 543 reference 544 "RFC CCCC: A YANG Data Model for a Keystore"; 545 } 547 organization 548 "IETF NETCONF (Network Configuration) Working Group"; 550 contact 551 "WG Web: https://datatracker.ietf.org/wg/netconf 552 WG List: NETCONF WG list 553 Author: Kent Watsen 554 Author: Gary Wu "; 556 description 557 "This module defines a common features and groupings for 558 Secure Shell (SSH). 560 Copyright (c) 2022 IETF Trust and the persons identified 561 as authors of the code. All rights reserved. 563 Redistribution and use in source and binary forms, with 564 or without modification, is permitted pursuant to, and 565 subject to the license terms contained in, the Revised 566 BSD License set forth in Section 4.c of the IETF Trust's 567 Legal Provisions Relating to IETF Documents 568 (https://trustee.ietf.org/license-info). 570 This version of this YANG module is part of RFC EEEE 571 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 572 itself for full legal notices. 574 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 575 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 576 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 577 are to be interpreted as described in BCP 14 (RFC 2119) 578 (RFC 8174) when, and only when, they appear in all 579 capitals, as shown here."; 581 revision 2022-05-24 { 582 description 583 "Initial version"; 584 reference 585 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 586 } 588 // Features 590 feature ssh-x509-certs { 591 description 592 "X.509v3 certificates are supported for SSH."; 593 reference 594 "RFC 6187: X.509v3 Certificates for Secure Shell 595 Authentication"; 596 } 598 feature transport-params { 599 description 600 "SSH transport layer parameters are configurable."; 601 } 603 feature public-key-generation { 604 description 605 "Indicates that the server implements the 606 'generate-public-key' RPC."; 607 } 609 // Groupings 611 grouping transport-params-grouping { 612 description 613 "A reusable grouping for SSH transport parameters."; 614 reference 615 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; 616 container host-key { 617 description 618 "Parameters regarding host key."; 619 leaf-list host-key-alg { 620 type identityref { 621 base sshpka:public-key-alg-base; 622 } 623 ordered-by user; 624 description 625 "Acceptable host key algorithms in order of descending 626 preference. The configured host key algorithms should 627 be compatible with the algorithm used by the configured 628 private key. Please see Section 5 of RFC EEEE for 629 valid combinations. 631 If this leaf-list is not configured (has zero elements) 632 the acceptable host key algorithms are implementation- 633 defined."; 634 reference 635 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 636 } 637 } 638 container key-exchange { 639 description 640 "Parameters regarding key exchange."; 641 leaf-list key-exchange-alg { 642 type identityref { 643 base sshkea:key-exchange-alg-base; 644 } 645 ordered-by user; 646 description 647 "Acceptable key exchange algorithms in order of descending 648 preference. 650 If this leaf-list is not configured (has zero elements) 651 the acceptable key exchange algorithms are implementation 652 defined."; 653 } 654 } 655 container encryption { 656 description 657 "Parameters regarding encryption."; 658 leaf-list encryption-alg { 659 type identityref { 660 base sshea:encryption-alg-base; 661 } 662 ordered-by user; 663 description 664 "Acceptable encryption algorithms in order of descending 665 preference. 667 If this leaf-list is not configured (has zero elements) 668 the acceptable encryption algorithms are implementation 669 defined."; 670 } 671 } 672 container mac { 673 description 674 "Parameters regarding message authentication code (MAC)."; 676 leaf-list mac-alg { 677 type identityref { 678 base sshma:mac-alg-base; 679 } 680 ordered-by user; 681 description 682 "Acceptable MAC algorithms in order of descending 683 preference. 685 If this leaf-list is not configured (has zero elements) 686 the acceptable MAC algorithms are implementation- 687 defined."; 688 } 689 } 690 } 692 // Protocol-accessible Nodes 694 rpc generate-public-key { 695 if-feature "public-key-generation"; 696 description 697 "Requests the device to generate an public key using 698 the specified key algorithm."; 699 input { 700 leaf algorithm { 701 type sshpka:public-key-algorithm-ref; 702 mandatory true; 703 description 704 "The algorithm to be used when generating the key."; 705 } 706 leaf bits { 707 type uint16; 708 description 709 "Specifies the number of bits in the key to create. 710 For RSA keys, the minimum size is 1024 bits and 711 the default is 3072 bits. Generally, 3072 bits is 712 considered sufficient. DSA keys must be exactly 1024 713 bits as specified by FIPS 186-2. For ECDSA keys, the 714 'bits' value determines the key length by selecting 715 from one of three elliptic curve sizes: 256, 384 or 716 521 bits. Attempting to use bit lengths other than 717 these three values for ECDSA keys will fail. ECDSA-SK, 718 Ed25519 and Ed25519-SK keys have a fixed length and 719 the 'bits' value, if specified, will be ignored."; 720 } 721 choice private-key-encoding { 722 default cleartext; 723 description 724 "A choice amongst optional private key handling."; 725 case cleartext { 726 leaf cleartext { 727 type empty; 728 description 729 "Indicates that the private key is to be returned 730 as a cleartext value."; 731 } 732 } 733 case encrypt { 734 if-feature "ct:private-key-encryption"; 735 container encrypt-with { 736 description 737 "Indicates that the key is to be encrypted using 738 the specified symmetric or asymmetric key."; 739 uses ks:encrypted-by-choice-grouping; 740 } 741 } 742 case hide { 743 if-feature "ct:hidden-keys"; 744 leaf hide { 745 type empty; 746 description 747 "Indicates that the private key is to be hidden. 749 Unlike the 'cleartext' and 'encrypt' options, the 750 key returned is a placeholder for an internally 751 stored key. See the 'Support for Built-in Keys' 752 section in RFC CCCC for information about hidden 753 keys."; 754 } 755 } 756 } 757 } 758 output { 759 uses ct:asymmetric-key-pair-grouping; 760 } 761 } // end generate-public-key 763 } 765 767 3. The "ietf-ssh-client" Module 769 This section defines a YANG 1.1 [RFC7950] module called "ietf-ssh- 770 client". A high-level overview of the module is provided in 771 Section 3.1. Examples illustrating the module's use are provided in 772 Examples (Section 3.2). The YANG module itself is defined in 773 Section 3.3. 775 3.1. Data Model Overview 777 This section provides an overview of the "ietf-ssh-client" module in 778 terms of its features and groupings. 780 3.1.1. Features 782 The following diagram lists all the "feature" statements defined in 783 the "ietf-ssh-client" module: 785 Features: 786 +-- ssh-client-keepalives 787 +-- client-ident-password 788 +-- client-ident-publickey 789 +-- client-ident-hostbased 790 +-- client-ident-none 792 | The diagram above uses syntax that is similar to but not 793 | defined in [RFC8340]. 795 3.1.2. Groupings 797 The "ietf-ssh-client" module defines the following "grouping" 798 statement: 800 * ssh-client-grouping 802 This grouping is presented in the following subsection. 804 3.1.2.1. The "ssh-client-grouping" Grouping 806 The following tree diagram [RFC8340] illustrates the "ssh-client- 807 grouping" grouping: 809 =============== NOTE: '\' line wrapping per RFC 8792 ================ 811 grouping ssh-client-grouping: 812 +-- client-identity 813 | +-- username? string 814 | +-- public-key! {client-ident-publickey}? 815 | | +---u ks:local-or-keystore-asymmetric-key-grouping 816 | +-- password! {client-ident-password}? 817 | | +---u ct:password-grouping 818 | +-- hostbased! {client-ident-hostbased}? 819 | | +---u ks:local-or-keystore-asymmetric-key-grouping 820 | +-- none? empty {client-ident-none}? 821 | +-- certificate! {sshcmn:ssh-x509-certs}? 822 | +---u ks:local-or-keystore-end-entity-cert-with-key-groupi\ 823 ng 824 +-- server-authentication 825 | +-- ssh-host-keys! 826 | | +---u ts:local-or-truststore-public-keys-grouping 827 | +-- ca-certs! {sshcmn:ssh-x509-certs}? 828 | | +---u ts:local-or-truststore-certs-grouping 829 | +-- ee-certs! {sshcmn:ssh-x509-certs}? 830 | +---u ts:local-or-truststore-certs-grouping 831 +-- transport-params {sshcmn:transport-params}? 832 | +---u sshcmn:transport-params-grouping 833 +-- keepalives! {ssh-client-keepalives}? 834 +-- max-wait? uint16 835 +-- max-attempts? uint8 837 Comments: 839 * The "client-identity" node configures a "username" and 840 authentication methods, each enabled by a "feature" statement 841 defined in Section 3.1.1. 843 * The "server-authentication" node configures trust anchors for 844 authenticating the SSH server, with each option enabled by a 845 "feature" statement. 847 * The "transport-params" node, which must be enabled by a feature, 848 configures parameters for the SSH sessions established by this 849 configuration. 851 * The "keepalives" node, which must be enabled by a feature, 852 configures a "presence" container for testing the aliveness of the 853 SSH server. The aliveness-test occurs at the SSH protocol layer. 855 * For the referenced grouping statement(s): 857 - The "local-or-keystore-asymmetric-key-grouping" grouping is 858 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 859 - The "local-or-keystore-end-entity-cert-with-key-grouping" 860 grouping is discussed in Section 2.1.3.6 of 861 [I-D.ietf-netconf-keystore]. 862 - The "local-or-truststore-public-keys-grouping" grouping is 863 discussed in Section 2.1.3.2 of 864 [I-D.ietf-netconf-trust-anchors]. 865 - The "local-or-truststore-certs-grouping" grouping is discussed 866 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 867 - The "transport-params-grouping" grouping is discussed in 868 Section 2.1.2.1 in this document. 870 3.1.3. Protocol-accessible Nodes 872 The "ietf-ssh-client" module defines only "grouping" statements that 873 are used by other modules to instantiate protocol-accessible nodes. 875 3.2. Example Usage 877 This section presents two examples showing the "ssh-client-grouping" 878 grouping populated with some data. These examples are effectively 879 the same except the first configures the client identity using a 880 local key while the second uses a key configured in a keystore. Both 881 examples are consistent with the examples presented in Section 2 of 882 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 883 [I-D.ietf-netconf-keystore]. 885 The following configuration example uses local-definitions for the 886 client identity and server authentication: 888 =============== NOTE: '\' line wrapping per RFC 8792 ================ 890 891 893 897 898 899 foobar 900 901 902 ct:ssh-public-key-format 904 BASE64VALUE= 905 ct:rsa-private-key-format 907 BASE64VALUE= 908 909 910 912 913 914 915 916 917 corp-fw1 918 ct:ssh-public-key-format 920 BASE64VALUE= 921 922 923 corp-fw2 924 ct:ssh-public-key-format 926 BASE64VALUE= 927 928 929 930 931 932 933 Server Cert Issuer #1 934 BASE64VALUE= 935 936 937 Server Cert Issuer #2 938 BASE64VALUE= 939 940 941 942 943 944 945 My Application #1 946 BASE64VALUE= 947 948 949 My Application #2 950 BASE64VALUE= 951 952 954 955 957 958 30 959 3 960 962 964 The following configuration example uses keystore-references for the 965 client identity and truststore-references for server authentication: 966 from the keystore: 968 =============== NOTE: '\' line wrapping per RFC 8792 ================ 970 971 973 977 978 979 foobar 980 985 986 987 ssh-rsa-key-with-cert 988 ex-rsa-cert2 989 990 991 993 994 995 996 trusted-ssh-public-keys 998 999 1000 trusted-server-ca-certs 1002 1003 1004 trusted-server-ee-certs 1006 1007 1009 1010 30 1011 3 1012 1014 1016 3.3. YANG Module 1018 This YANG module has normative references to 1019 [I-D.ietf-netconf-trust-anchors], and [I-D.ietf-netconf-keystore]. 1021 file "ietf-ssh-client@2022-05-24.yang" 1023 module ietf-ssh-client { 1024 yang-version 1.1; 1025 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client"; 1026 prefix sshc; 1028 import ietf-netconf-acm { 1029 prefix nacm; 1030 reference 1031 "RFC 8341: Network Configuration Access Control Model"; 1032 } 1034 import ietf-crypto-types { 1035 prefix ct; 1036 reference 1037 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 1038 } 1040 import ietf-truststore { 1041 prefix ts; 1042 reference 1043 "RFC BBBB: A YANG Data Model for a Truststore"; 1044 } 1046 import ietf-keystore { 1047 prefix ks; 1048 reference 1049 "RFC CCCC: A YANG Data Model for a Keystore"; 1050 } 1052 import ietf-ssh-common { 1053 prefix sshcmn; 1054 revision-date 2022-05-24; // stable grouping definitions 1055 reference 1056 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 1057 } 1059 organization 1060 "IETF NETCONF (Network Configuration) Working Group"; 1062 contact 1063 "WG Web: https://datatracker.ietf.org/wg/netconf 1064 WG List: NETCONF WG list 1065 Author: Kent Watsen 1066 Author: Gary Wu "; 1068 description 1069 "This module defines reusable groupings for SSH clients that 1070 can be used as a basis for specific SSH client instances. 1072 Copyright (c) 2022 IETF Trust and the persons identified 1073 as authors of the code. All rights reserved. 1075 Redistribution and use in source and binary forms, with 1076 or without modification, is permitted pursuant to, and 1077 subject to the license terms contained in, the Revised 1078 BSD License set forth in Section 4.c of the IETF Trust's 1079 Legal Provisions Relating to IETF Documents 1080 (https://trustee.ietf.org/license-info). 1082 This version of this YANG module is part of RFC EEEE 1083 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 1084 itself for full legal notices. 1086 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1087 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1088 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1089 are to be interpreted as described in BCP 14 (RFC 2119) 1090 (RFC 8174) when, and only when, they appear in all 1091 capitals, as shown here."; 1093 revision 2022-05-24 { 1094 description 1095 "Initial version"; 1096 reference 1097 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 1098 } 1100 // Features 1102 feature ssh-client-keepalives { 1103 description 1104 "Per socket SSH keepalive parameters are configurable for 1105 SSH clients on the server implementing this feature."; 1106 } 1108 feature client-ident-publickey { 1109 description 1110 "Indicates that the 'publickey' authentication type, per 1111 RFC 4252, is supported for client identification. 1113 The 'publickey' authentication type is required by 1114 RFC 4252, but common implementations enable it to 1115 be disabled."; 1116 reference 1117 "RFC 4252: 1118 The Secure Shell (SSH) Authentication Protocol"; 1119 } 1121 feature client-ident-password { 1122 description 1123 "Indicates that the 'password' authentication type, per 1124 RFC 4252, is supported for client identification."; 1125 reference 1126 "RFC 4252: 1127 The Secure Shell (SSH) Authentication Protocol"; 1128 } 1130 feature client-ident-hostbased { 1131 description 1132 "Indicates that the 'hostbased' authentication type, per 1133 RFC 4252, is supported for client identification."; 1134 reference 1135 "RFC 4252: 1136 The Secure Shell (SSH) Authentication Protocol"; 1137 } 1139 feature client-ident-none { 1140 description 1141 "Indicates that the 'none' authentication type, per 1142 RFC 4252, is supported for client identification."; 1143 reference 1144 "RFC 4252: 1145 The Secure Shell (SSH) Authentication Protocol"; 1146 } 1148 // Groupings 1150 grouping ssh-client-grouping { 1151 description 1152 "A reusable grouping for configuring a SSH client without 1153 any consideration for how an underlying TCP session is 1154 established. 1156 Note that this grouping uses fairly typical descendant 1157 node names such that a stack of 'uses' statements will 1158 have name conflicts. It is intended that the consuming 1159 data model will resolve the issue (e.g., by wrapping 1160 the 'uses' statement in a container called 1161 'ssh-client-parameters'). This model purposely does 1162 not do this itself so as to provide maximum flexibility 1163 to consuming models."; 1165 container client-identity { 1166 nacm:default-deny-write; 1167 description 1168 "The username and authentication methods for the client. 1169 The authentication methods are unordered. Clients may 1170 initially send any configured method or, per RFC 4252, 1171 Section 5.2, send the 'none' method to prompt the server 1172 to provide a list of productive methods. Whenever a 1173 choice amongst methods arises, implementations SHOULD 1174 use a default ordering that prioritizes automation 1175 over human-interaction."; 1176 leaf username { 1177 type string; 1178 description 1179 "The username of this user. This will be the username 1180 used, for instance, to log into an SSH server."; 1181 } 1182 container public-key { 1183 if-feature "client-ident-publickey"; 1184 presence 1185 "Indicates that publickey-based authentication has been 1186 configured. This statement is present so the mandatory 1187 descendant nodes do not imply that this node must be 1188 configured."; 1189 description 1190 "A locally-defined or referenced asymmetric key 1191 pair to be used for client identification."; 1192 reference 1193 "RFC CCCC: A YANG Data Model for a Keystore"; 1194 uses ks:local-or-keystore-asymmetric-key-grouping { 1195 refine "local-or-keystore/local/local-definition" { 1196 must 'public-key-format = "ct:ssh-public-key-format"'; 1197 } 1198 refine "local-or-keystore/keystore/keystore-reference" { 1199 must 'deref(.)/../ks:public-key-format' 1200 + ' = "ct:ssh-public-key-format"'; 1201 } 1202 } 1203 } 1204 container password { 1205 if-feature "client-ident-password"; 1206 presence 1207 "Indicates that password-based authentication has been 1208 configured. This statement is present so the mandatory 1209 descendant nodes do not imply that this node must be 1210 configured."; 1211 description 1212 "A password to be used to authenticate the client's 1213 identity."; 1214 uses ct:password-grouping; 1215 } 1216 container hostbased { 1217 if-feature "client-ident-hostbased"; 1218 presence 1219 "Indicates that hostbased authentication is configured. 1220 This statement is present so the mandatory descendant 1221 nodes do not imply that this node must be configured."; 1222 description 1223 "A locally-defined or referenced asymmetric key 1224 pair to be used for host identification."; 1225 reference 1226 "RFC CCCC: A YANG Data Model for a Keystore"; 1227 uses ks:local-or-keystore-asymmetric-key-grouping { 1228 refine "local-or-keystore/local/local-definition" { 1229 must 'public-key-format = "ct:ssh-public-key-format"'; 1230 } 1231 refine "local-or-keystore/keystore/keystore-reference" { 1232 must 'deref(.)/../ks:public-key-format' 1233 + ' = "ct:ssh-public-key-format"'; 1234 } 1235 } 1236 } 1237 leaf none { 1238 if-feature "client-ident-none"; 1239 type empty; 1240 description 1241 "Indicates that 'none' algorithm is used for client 1242 identification."; 1243 } 1244 container certificate { 1245 if-feature "sshcmn:ssh-x509-certs"; 1246 presence 1247 "Indicates that certificate-based authentication has been 1248 configured. This statement is present so the mandatory 1249 descendant nodes do not imply that this node must be 1250 configured."; 1251 description 1252 "A locally-defined or referenced certificate 1253 to be used for client identification."; 1254 reference 1255 "RFC CCCC: A YANG Data Model for a Keystore"; 1256 uses ks:local-or-keystore-end-entity-cert-with-key-grouping { 1257 refine "local-or-keystore/local/local-definition" { 1258 must 'public-key-format' 1259 + ' = "ct:subject-public-key-info-format"'; 1260 } 1261 refine "local-or-keystore/keystore/keystore-reference" 1262 + "/asymmetric-key" { 1263 must 'deref(.)/../ks:public-key-format' 1264 + ' = "ct:subject-public-key-info-format"'; 1265 } 1266 } 1267 } 1268 } // container client-identity 1270 container server-authentication { 1271 nacm:default-deny-write; 1272 must 'ssh-host-keys or ca-certs or ee-certs'; 1273 description 1274 "Specifies how the SSH client can authenticate SSH servers. 1275 Any combination of authentication methods is additive and 1276 unordered."; 1277 container ssh-host-keys { 1278 presence 1279 "Indicates that the SSH host key have been configured. 1280 This statement is present so the mandatory descendant 1281 nodes do not imply that this node must be configured."; 1282 description 1283 "A bag of SSH host keys used by the SSH client to 1284 authenticate SSH server host keys. A server host key 1285 is authenticated if it is an exact match to a 1286 configured SSH host key."; 1287 reference 1288 "RFC BBBB: A YANG Data Model for a Truststore"; 1289 uses ts:local-or-truststore-public-keys-grouping { 1290 refine 1291 "local-or-truststore/local/local-definition/public-key" { 1292 must 'public-key-format = "ct:ssh-public-key-format"'; 1293 } 1294 refine 1295 "local-or-truststore/truststore/truststore-reference" { 1296 must 'deref(.)/../*/ts:public-key-format' 1297 + ' = "ct:ssh-public-key-format"'; 1298 } 1299 } 1300 } 1301 container ca-certs { 1302 if-feature "sshcmn:ssh-x509-certs"; 1303 presence 1304 "Indicates that the CA certificates have been configured. 1306 This statement is present so the mandatory descendant 1307 nodes do not imply that this node must be configured."; 1308 description 1309 "A set of certificate authority (CA) certificates used by 1310 the SSH client to authenticate SSH servers. A server 1311 is authenticated if its certificate has a valid chain 1312 of trust to a configured CA certificate."; 1313 reference 1314 "RFC BBBB: A YANG Data Model for a Truststore"; 1315 uses ts:local-or-truststore-certs-grouping; 1316 } 1317 container ee-certs { 1318 if-feature "sshcmn:ssh-x509-certs"; 1319 presence 1320 "Indicates that the EE certificates have been configured. 1321 This statement is present so the mandatory descendant 1322 nodes do not imply that this node must be configured."; 1323 description 1324 "A set of end-entity certificates used by the SSH client 1325 to authenticate SSH servers. A server is authenticated 1326 if its certificate is an exact match to a configured 1327 end-entity certificate."; 1328 reference 1329 "RFC BBBB: A YANG Data Model for a Truststore"; 1330 uses ts:local-or-truststore-certs-grouping; 1331 } 1332 } // container server-authentication 1334 container transport-params { 1335 nacm:default-deny-write; 1336 if-feature "sshcmn:transport-params"; 1337 description 1338 "Configurable parameters of the SSH transport layer."; 1339 uses sshcmn:transport-params-grouping; 1340 } // container transport-parameters 1342 container keepalives { 1343 nacm:default-deny-write; 1344 if-feature "ssh-client-keepalives"; 1345 presence 1346 "Indicates that the SSH client proactively tests the 1347 aliveness of the remote SSH server."; 1348 description 1349 "Configures the keep-alive policy, to proactively test 1350 the aliveness of the SSH server. An unresponsive TLS 1351 server is dropped after approximately max-wait * 1352 max-attempts seconds. Per Section 4 of RFC 4254, 1353 the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST 1354 message with a purposely nonexistent 'request name' 1355 value (e.g., keepalive@ietf.org) and the 'want reply' 1356 value set to '1'."; 1357 reference 1358 "RFC 4254: The Secure Shell (SSH) Connection Protocol"; 1359 leaf max-wait { 1360 type uint16 { 1361 range "1..max"; 1362 } 1363 units "seconds"; 1364 default "30"; 1365 description 1366 "Sets the amount of time in seconds after which if 1367 no data has been received from the SSH server, a 1368 TLS-level message will be sent to test the 1369 aliveness of the SSH server."; 1370 } 1371 leaf max-attempts { 1372 type uint8; 1373 default "3"; 1374 description 1375 "Sets the maximum number of sequential keep-alive 1376 messages that can fail to obtain a response from 1377 the SSH server before assuming the SSH server is 1378 no longer alive."; 1379 } 1380 } // container keepalives 1381 } // grouping ssh-client-grouping 1383 } 1385 1387 4. The "ietf-ssh-server" Module 1389 This section defines a YANG 1.1 module called "ietf-ssh-server". A 1390 high-level overview of the module is provided in Section 4.1. 1391 Examples illustrating the module's use are provided in Examples 1392 (Section 4.2). The YANG module itself is defined in Section 4.3. 1394 4.1. Data Model Overview 1396 This section provides an overview of the "ietf-ssh-server" module in 1397 terms of its features and groupings. 1399 4.1.1. Features 1401 The following diagram lists all the "feature" statements defined in 1402 the "ietf-ssh-server" module: 1404 Features: 1405 +-- ssh-server-keepalives 1406 +-- local-users-supported 1407 +-- local-user-auth-publickey {local-users-supported}? 1408 +-- local-user-auth-password {local-users-supported}? 1409 +-- local-user-auth-hostbased {local-users-supported}? 1410 +-- local-user-auth-none {local-users-supported}? 1412 | The diagram above uses syntax that is similar to but not 1413 | defined in [RFC8340]. 1415 4.1.2. Groupings 1417 The "ietf-ssh-server" module defines the following "grouping" 1418 statement: 1420 * ssh-server-grouping 1422 This grouping is presented in the following subsection. 1424 4.1.2.1. The "ssh-server-grouping" Grouping 1426 The following tree diagram [RFC8340] illustrates the "ssh-server- 1427 grouping" grouping: 1429 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1431 grouping ssh-server-grouping: 1432 +-- server-identity 1433 | +-- host-key* [name] 1434 | +-- name? string 1435 | +-- (host-key-type) 1436 | +--:(public-key) 1437 | | +-- public-key 1438 | | +---u ks:local-or-keystore-asymmetric-key-grouping 1439 | +--:(certificate) 1440 | +-- certificate {sshcmn:ssh-x509-certs}? 1441 | +---u ks:local-or-keystore-end-entity-cert-with-k\ 1442 ey-grouping 1443 +-- client-authentication 1444 | +-- users {local-users-supported}? 1445 | | +-- user* [name] 1446 | | +-- name? string 1447 | | +-- public-keys! {local-user-auth-publickey}? 1448 | | | +---u ts:local-or-truststore-public-keys-grouping 1449 | | +-- password? ianach:crypt-hash 1450 | | | {local-user-auth-password}? 1451 | | +-- hostbased! {local-user-auth-hostbased}? 1452 | | | +---u ts:local-or-truststore-public-keys-grouping 1453 | | +-- none? empty {local-user-auth-none}? 1454 | +-- ca-certs! {sshcmn:ssh-x509-certs}? 1455 | | +---u ts:local-or-truststore-certs-grouping 1456 | +-- ee-certs! {sshcmn:ssh-x509-certs}? 1457 | +---u ts:local-or-truststore-certs-grouping 1458 +-- transport-params {sshcmn:transport-params}? 1459 | +---u sshcmn:transport-params-grouping 1460 +-- keepalives! {ssh-server-keepalives}? 1461 +-- max-wait? uint16 1462 +-- max-attempts? uint8 1464 Comments: 1466 * The "server-identity" node configures the authentication methods 1467 the server can use to identify itself to clients. The ability to 1468 use a certificate is enabled by a "feature". 1470 * The "client-authentication" node configures trust anchors for 1471 authenticating the SSH client, with each option enabled by a 1472 "feature" statement. 1474 * The "transport-params" node, which must be enabled by a feature, 1475 configures parameters for the SSH sessions established by this 1476 configuration. 1478 * The "keepalives" node, which must be enabled by a feature, 1479 configures a "presence" container for testing the aliveness of the 1480 SSH client. The aliveness-test occurs at the SSH protocol layer. 1482 * For the referenced grouping statement(s): 1484 - The "local-or-keystore-asymmetric-key-grouping" grouping is 1485 discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. 1486 - The "local-or-keystore-end-entity-cert-with-key-grouping" 1487 grouping is discussed in Section 2.1.3.6 of 1488 [I-D.ietf-netconf-keystore]. 1489 - The "local-or-truststore-public-keys-grouping" grouping is 1490 discussed in Section 2.1.3.2 of 1491 [I-D.ietf-netconf-trust-anchors]. 1492 - The "local-or-truststore-certs-grouping" grouping is discussed 1493 in Section 2.1.3.1 of [I-D.ietf-netconf-trust-anchors]. 1494 - The "transport-params-grouping" grouping is discussed in 1495 Section 2.1.2.1 in this document. 1497 4.1.3. Protocol-accessible Nodes 1499 The "ietf-ssh-server" module defines only "grouping" statements that 1500 are used by other modules to instantiate protocol-accessible nodes. 1502 4.2. Example Usage 1504 This section presents two examples showing the "ssh-server-grouping" 1505 grouping populated with some data. These examples are effectively 1506 the same except the first configures the server identity using a 1507 local key while the second uses a key configured in a keystore. Both 1508 examples are consistent with the examples presented in Section 2 of 1509 [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 1510 [I-D.ietf-netconf-keystore]. 1512 The following configuration example uses local-definitions for the 1513 server identity and client authentication: 1515 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1517 1518 1520 1524 1525 1526 1527 my-pubkey-based-host-key 1528 1529 1530 ct:ssh-public-key-format 1532 BASE64VALUE= 1533 ct:rsa-private-key-format 1535 BASE64VALUE= 1536 1537 1538 1539 1540 my-cert-based-host-key 1541 1542 1543 ct:subject-public-key-info-format 1545 BASE64VALUE= 1546 ct:rsa-private-key-format 1548 BASE64VALUE= 1549 BASE64VALUE= 1550 1551 1552 1553 1555 1556 1557 1558 1559 mary 1560 $0$secret 1561 1562 1563 1564 User A 1565 ct:ssh-public-key-format 1567 BASE64VALUE= 1568 1569 1570 User B 1571 ct:ssh-public-key-format 1573 BASE64VALUE= 1575 1576 1577 1578 1579 1580 1581 1582 1583 Identity Cert Issuer #1 1584 BASE64VALUE= 1585 1586 1587 Identity Cert Issuer #2 1588 BASE64VALUE= 1589 1590 1591 1592 1593 1594 1595 Application #1 1596 BASE64VALUE= 1597 1598 1599 Application #2 1600 BASE64VALUE= 1601 1602 1603 1604 1606 1607 30 1608 3 1609 1611 1613 The following configuration example uses keystore-references for the 1614 server identity and truststore-references for client authentication: 1615 from the keystore: 1617 =============== NOTE: '\' line wrapping per RFC 8792 ================ 1619 1620 1622 1625 1626 1627 1628 my-pubkey-based-host-key 1629 1630 ssh-rsa-key 1631 1632 1633 1634 my-cert-based-host-key 1635 1636 1637 ssh-rsa-key-with-cert 1638 ex-rsa-cert2 1639 1640 1641 1642 1644 1645 1646 1647 1648 mary 1649 $0$secret 1650 1651 SSH Public Keys for Application A 1653 1654 1655 1656 1657 trusted-client-ca-certs 1659 1660 1661 trusted-client-ee-certs 1663 1664 1666 1667 30 1668 3 1669 1671 1673 4.3. YANG Module 1675 This YANG module has normative references to 1676 [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore] and 1677 informative references to [RFC4253] and [RFC7317]. 1679 file "ietf-ssh-server@2022-05-24.yang" 1681 module ietf-ssh-server { 1682 yang-version 1.1; 1683 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; 1684 prefix sshs; 1686 import iana-crypt-hash { 1687 prefix ianach; 1688 reference 1689 "RFC 7317: A YANG Data Model for System Management"; 1690 } 1692 import ietf-netconf-acm { 1693 prefix nacm; 1694 reference 1695 "RFC 8341: Network Configuration Access Control Model"; 1696 } 1698 import ietf-crypto-types { 1699 prefix ct; 1700 reference 1701 "RFC AAAA: YANG Data Types and Groupings for Cryptography"; 1702 } 1704 import ietf-truststore { 1705 prefix ts; 1706 reference 1707 "RFC BBBB: A YANG Data Model for a Truststore"; 1708 } 1710 import ietf-keystore { 1711 prefix ks; 1712 reference 1713 "RFC CCCC: A YANG Data Model for a Keystore"; 1714 } 1716 import ietf-ssh-common { 1717 prefix sshcmn; 1718 revision-date 2022-05-24; // stable grouping definitions 1719 reference 1720 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 1721 } 1723 organization 1724 "IETF NETCONF (Network Configuration) Working Group"; 1726 contact 1727 "WG Web: https://datatracker.ietf.org/wg/netconf 1728 WG List: NETCONF WG list 1729 Author: Kent Watsen 1730 Author: Gary Wu "; 1732 description 1733 "This module defines reusable groupings for SSH servers that 1734 can be used as a basis for specific SSH server instances. 1736 Copyright (c) 2022 IETF Trust and the persons identified 1737 as authors of the code. All rights reserved. 1739 Redistribution and use in source and binary forms, with 1740 or without modification, is permitted pursuant to, and 1741 subject to the license terms contained in, the Revised 1742 BSD License set forth in Section 4.c of the IETF Trust's 1743 Legal Provisions Relating to IETF Documents 1744 (https://trustee.ietf.org/license-info). 1746 This version of this YANG module is part of RFC EEEE 1747 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 1748 itself for full legal notices. 1750 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1751 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1752 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1753 are to be interpreted as described in BCP 14 (RFC 2119) 1754 (RFC 8174) when, and only when, they appear in all 1755 capitals, as shown here."; 1757 revision 2022-05-24 { 1758 description 1759 "Initial version"; 1760 reference 1761 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 1762 } 1764 // Features 1766 feature ssh-server-keepalives { 1767 description 1768 "Per socket SSH keepalive parameters are configurable for 1769 SSH servers on the server implementing this feature."; 1770 } 1772 feature local-users-supported { 1773 description 1774 "Indicates that the configuration for users can be 1775 configured herein, as opposed to in an application 1776 specific location."; 1777 } 1779 feature local-user-auth-publickey { 1780 if-feature "local-users-supported"; 1781 description 1782 "Indicates that the 'publickey' authentication type, 1783 per RFC 4252, is supported for locally-defined users. 1785 The 'publickey' authentication type is required by 1786 RFC 4252, but common implementations enable it to 1787 be disabled."; 1788 reference 1789 "RFC 4252: 1790 The Secure Shell (SSH) Authentication Protocol"; 1791 } 1793 feature local-user-auth-password { 1794 if-feature "local-users-supported"; 1795 description 1796 "Indicates that the 'password' authentication type, 1797 per RFC 4252, is supported for locally-defined users."; 1798 reference 1799 "RFC 4252: 1800 The Secure Shell (SSH) Authentication Protocol"; 1801 } 1803 feature local-user-auth-hostbased { 1804 if-feature "local-users-supported"; 1805 description 1806 "Indicates that the 'hostbased' authentication type, 1807 per RFC 4252, is supported for locally-defined users."; 1808 reference 1809 "RFC 4252: 1810 The Secure Shell (SSH) Authentication Protocol"; 1811 } 1813 feature local-user-auth-none { 1814 if-feature "local-users-supported"; 1815 description 1816 "Indicates that the 'none' authentication type, per 1817 RFC 4252, is supported. It is NOT RECOMMENDED to 1818 enable this feature."; 1819 reference 1820 "RFC 4252: 1821 The Secure Shell (SSH) Authentication Protocol"; 1822 } 1824 // Groupings 1826 grouping ssh-server-grouping { 1827 description 1828 "A reusable grouping for configuring a SSH server without 1829 any consideration for how underlying TCP sessions are 1830 established. 1832 Note that this grouping uses fairly typical descendant 1833 node names such that a stack of 'uses' statements will 1834 have name conflicts. It is intended that the consuming 1835 data model will resolve the issue (e.g., by wrapping 1836 the 'uses' statement in a container called 1837 'ssh-server-parameters'). This model purposely does 1838 not do this itself so as to provide maximum flexibility 1839 to consuming models."; 1841 container server-identity { 1842 nacm:default-deny-write; 1843 description 1844 "The list of host keys the SSH server will present when 1845 establishing a SSH connection."; 1846 list host-key { 1847 key "name"; 1848 min-elements 1; 1849 ordered-by user; 1850 description 1851 "An ordered list of host keys the SSH server will use to 1852 construct its ordered list of algorithms, when sending 1853 its SSH_MSG_KEXINIT message, as defined in Section 7.1 1854 of RFC 4253."; 1855 reference 1856 "RFC 4253: The Secure Shell (SSH) Transport Layer 1857 Protocol"; 1858 leaf name { 1859 type string; 1860 description 1861 "An arbitrary name for this host key"; 1862 } 1863 choice host-key-type { 1864 mandatory true; 1865 description 1866 "The type of host key being specified"; 1867 container public-key { 1868 description 1869 "A locally-defined or referenced asymmetric key pair 1870 to be used for the SSH server's host key."; 1871 reference 1872 "RFC CCCC: A YANG Data Model for a Keystore"; 1873 uses ks:local-or-keystore-asymmetric-key-grouping { 1874 refine "local-or-keystore/local/local-definition" { 1875 must 1876 'public-key-format = "ct:ssh-public-key-format"'; 1877 } 1878 refine "local-or-keystore/keystore/" 1879 + "keystore-reference" { 1880 must 'deref(.)/../ks:public-key-format' 1881 + ' = "ct:ssh-public-key-format"'; 1882 } 1883 } 1884 } 1885 container certificate { 1886 if-feature "sshcmn:ssh-x509-certs"; 1887 description 1888 "A locally-defined or referenced end-entity 1889 certificate to be used for the SSH server's 1890 host key."; 1891 reference 1892 "RFC CCCC: A YANG Data Model for a Keystore"; 1893 uses 1894 ks:local-or-keystore-end-entity-cert-with-key-grouping { 1895 refine "local-or-keystore/local/local-definition" { 1896 must 'public-key-format' 1897 + ' = "ct:subject-public-key-info-format"'; 1898 } 1899 refine "local-or-keystore/keystore/keystore-reference" 1900 + "/asymmetric-key" { 1901 must 'deref(.)/../ks:public-key-format' 1902 + ' = "ct:subject-public-key-info-format"'; 1903 } 1904 } 1905 } 1906 } 1907 } 1908 } // container server-identity 1910 container client-authentication { 1911 nacm:default-deny-write; 1912 description 1913 "Specifies how the SSH server can authenticate SSH clients."; 1914 container users { 1915 if-feature "local-users-supported"; 1916 description 1917 "A list of locally configured users."; 1918 list user { 1919 key "name"; 1920 description 1921 "A locally configured user. 1923 The server SHOULD derive the list of authentication 1924 'method names' returned to the SSH client from the 1925 descendant nodes configured herein, per Sections 1926 5.1 and 5.2 in RFC 4252. 1928 The authentication methods are unordered. Clients 1929 must authenticate to all configured methods. 1930 Whenever a choice amongst methods arises, 1931 implementations SHOULD use a default ordering 1932 that prioritizes automation over human-interaction."; 1933 leaf name { 1934 type string; 1935 description 1936 "The 'user name' for the SSH client, as defined in 1937 the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; 1938 } 1939 container public-keys { 1940 if-feature "local-user-auth-publickey"; 1941 presence 1942 "Indicates that public keys have been configured. 1943 This statement is present so the mandatory descendant 1944 nodes do not imply that this node must be 1945 configured."; 1946 description 1947 "A set of SSH public keys may be used by the SSH 1948 server to authenticate this user. A user is 1949 authenticated if its public key is an exact 1950 match to a configured public key."; 1951 reference 1952 "RFC BBBB: A YANG Data Model for a Truststore"; 1953 uses ts:local-or-truststore-public-keys-grouping { 1954 refine "local-or-truststore/local/local-definition" 1955 + "/public-key" { 1956 must 'public-key-format' 1957 + ' = "ct:ssh-public-key-format"'; 1958 } 1959 refine "local-or-truststore/truststore/" 1960 + "truststore-reference" { 1961 must 'deref(.)/../*/ts:public-key-format' 1962 + ' = "ct:ssh-public-key-format"'; 1963 } 1964 } 1965 } 1966 leaf password { 1967 if-feature "local-user-auth-password"; 1968 type ianach:crypt-hash; 1969 description 1970 "The password for this user."; 1971 } 1972 container hostbased { 1973 if-feature "local-user-auth-hostbased"; 1974 presence 1975 "Indicates that hostbased keys have been configured. 1976 This statement is present so the mandatory descendant 1977 nodes do not imply that this node must be 1978 configured."; 1979 description 1980 "A set of SSH host keys used by the SSH server to 1981 authenticate this user's host. A user's host is 1982 authenticated if its host key is an exact match 1983 to a configured host key."; 1984 reference 1985 "RFC 4253: The Secure Shell (SSH) Transport Layer 1986 RFC BBBB: A YANG Data Model for a Truststore"; 1987 uses ts:local-or-truststore-public-keys-grouping { 1988 refine "local-or-truststore/local/local-definition" 1989 + "/public-key" { 1990 must 'public-key-format' 1991 + ' = "ct:ssh-public-key-format"'; 1992 } 1993 refine "local-or-truststore/truststore" 1994 + "/truststore-reference" { 1995 must 'deref(.)/../*/ts:public-key-format' 1996 + ' = "ct:ssh-public-key-format"'; 1997 } 1998 } 1999 } 2000 leaf none { 2001 if-feature "local-user-auth-none"; 2002 type empty; 2003 description 2004 "Indicates that the 'none' method is configured 2005 for this user."; 2006 reference 2007 "RFC 4252: The Secure Shell (SSH) Authentication 2008 Protocol."; 2009 } 2010 } 2011 } 2012 container ca-certs { 2013 if-feature "sshcmn:ssh-x509-certs"; 2014 presence 2015 "Indicates that CA certificates have been configured. 2016 This statement is present so the mandatory descendant 2017 nodes do not imply this node must be configured."; 2018 description 2019 "A set of certificate authority (CA) certificates used by 2020 the SSH server to authenticate SSH client certificates. 2021 A client certificate is authenticated if it has a valid 2022 chain of trust to a configured CA certificate."; 2023 reference 2024 "RFC BBBB: A YANG Data Model for a Truststore"; 2025 uses ts:local-or-truststore-certs-grouping; 2026 } 2027 container ee-certs { 2028 if-feature "sshcmn:ssh-x509-certs"; 2029 presence 2030 "Indicates that EE certificates have been configured. 2031 This statement is present so the mandatory descendant 2032 nodes do not imply this node must be configured."; 2033 description 2034 "A set of client certificates (i.e., end entity 2035 certificates) used by the SSH server to authenticate 2036 the certificates presented by SSH clients. A client 2037 certificate is authenticated if it is an exact match 2038 to a configured end-entity certificate."; 2039 reference 2040 "RFC BBBB: A YANG Data Model for a Truststore"; 2041 uses ts:local-or-truststore-certs-grouping; 2042 } 2043 } // container client-authentication 2045 container transport-params { 2046 nacm:default-deny-write; 2047 if-feature "sshcmn:transport-params"; 2048 description 2049 "Configurable parameters of the SSH transport layer."; 2050 uses sshcmn:transport-params-grouping; 2051 } // container transport-params 2053 container keepalives { 2054 nacm:default-deny-write; 2055 if-feature "ssh-server-keepalives"; 2056 presence 2057 "Indicates that the SSH server proactively tests the 2058 aliveness of the remote SSH client."; 2059 description 2060 "Configures the keep-alive policy, to proactively test 2061 the aliveness of the SSL client. An unresponsive SSL 2062 client is dropped after approximately max-wait * 2063 max-attempts seconds. Per Section 4 of RFC 4254, 2064 the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST 2065 message with a purposely nonexistent 'request name' 2066 value (e.g., keepalive@ietf.org) and the 'want reply' 2067 value set to '1'."; 2068 reference 2069 "RFC 4254: The Secure Shell (SSH) Connection Protocol"; 2070 leaf max-wait { 2071 type uint16 { 2072 range "1..max"; 2073 } 2074 units "seconds"; 2075 default "30"; 2076 description 2077 "Sets the amount of time in seconds after which 2078 if no data has been received from the SSL client, 2079 a SSL-level message will be sent to test the 2080 aliveness of the SSL client."; 2081 } 2082 leaf max-attempts { 2083 type uint8; 2084 default "3"; 2085 description 2086 "Sets the maximum number of sequential keep-alive 2087 messages that can fail to obtain a response from 2088 the SSL client before assuming the SSL client is 2089 no longer alive."; 2090 } 2091 } 2092 } // grouping ssh-server-grouping 2094 } 2096 2098 5. Security Considerations 2099 5.1. The "iana-ssh-key-exchange-algs" Module 2101 The "iana-ssh-key-exchange-algs" YANG module defines a data model 2102 that is designed to be accessed via YANG based management protocols, 2103 such as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these 2104 protocols have mandatory-to-implement secure transport layers (e.g., 2105 SSH, TLS) with mutual authentication. 2107 The NETCONF access control model (NACM) [RFC8341] provides the means 2108 to restrict access for particular users to a pre-configured subset of 2109 all available protocol operations and content. 2111 This YANG module defines YANG identities, for a public IANA- 2112 maintained registry, and a single protocol-accessible read-only node 2113 for the subset of those identities supported by a server. 2115 YANG identities are not security-sensitive, as they are statically 2116 defined in the publicly-accessible YANG module. 2118 The protocol-accessible read-only node for the algorithms supported 2119 by a server is mildly sensitive, but not to the extent that special 2120 NACM annotations are needed to prevent read-access to regular 2121 authenticated administrators. 2123 This module does not define any writable-nodes, RPCs, actions, or 2124 notifications, and thus the security consideration for such is not 2125 provided here. 2127 5.2. The "iana-ssh-encryption-algs" Module 2129 The "iana-ssh-encryption-algs" YANG module defines a data model that 2130 is designed to be accessed via YANG based management protocols, such 2131 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2132 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2133 with mutual authentication. 2135 The NETCONF access control model (NACM) [RFC8341] provides the means 2136 to restrict access for particular users to a pre-configured subset of 2137 all available protocol operations and content. 2139 This YANG module defines YANG identities, for a public IANA- 2140 maintained registry, and a single protocol-accessible read-only node 2141 for the subset of those identities supported by a server. 2143 YANG identities are not security-sensitive, as they are statically 2144 defined in the publicly-accessible YANG module. 2146 The protocol-accessible read-only node for the algorithms supported 2147 by a server is mildly sensitive, but not to the extent that special 2148 NACM annotations are needed to prevent read-access to regular 2149 authenticated administrators. 2151 This module does not define any writable-nodes, RPCs, actions, or 2152 notifications, and thus the security consideration for such is not 2153 provided here. 2155 5.3. The "iana-ssh-mac-algs" Module 2157 The "iana-ssh-mac-algs" YANG module defines a data model that is 2158 designed to be accessed via YANG based management protocols, such as 2159 NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2160 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2161 with mutual authentication. 2163 The NETCONF access control model (NACM) [RFC8341] provides the means 2164 to restrict access for particular users to a pre-configured subset of 2165 all available protocol operations and content. 2167 This YANG module defines YANG identities, for a public IANA- 2168 maintained registry, and a single protocol-accessible read-only node 2169 for the subset of those identities supported by a server. 2171 YANG identities are not security-sensitive, as they are statically 2172 defined in the publicly-accessible YANG module. 2174 The protocol-accessible read-only node for the algorithms supported 2175 by a server is mildly sensitive, but not to the extent that special 2176 NACM annotations are needed to prevent read-access to regular 2177 authenticated administrators. 2179 This module does not define any writable-nodes, RPCs, actions, or 2180 notifications, and thus the security consideration for such is not 2181 provided here. 2183 5.4. The "iana-ssh-public-key-algs" Module 2185 The "iana-ssh-public-key-algs" YANG module defines a data model that 2186 is designed to be accessed via YANG based management protocols, such 2187 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2188 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2189 with mutual authentication. 2191 The NETCONF access control model (NACM) [RFC8341] provides the means 2192 to restrict access for particular users to a pre-configured subset of 2193 all available protocol operations and content. 2195 This YANG module defines YANG identities, for a public IANA- 2196 maintained registry, and a single protocol-accessible read-only node 2197 for the subset of those identities supported by a server. 2199 YANG identities are not security-sensitive, as they are statically 2200 defined in the publicly-accessible YANG module. 2202 The protocol-accessible read-only node for the algorithms supported 2203 by a server is mildly sensitive, but not to the extent that special 2204 NACM annotations are needed to prevent read-access to regular 2205 authenticated administrators. 2207 This module does not define any writable-nodes, RPCs, actions, or 2208 notifications, and thus the security consideration for such is not 2209 provided here. 2211 5.5. The "ietf-ssh-common" YANG Module 2213 The "ietf-ssh-common" YANG module defines "grouping" statements that 2214 are designed to be accessed via YANG based management protocols, such 2215 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2216 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2217 with mutual authentication. 2219 The NETCONF access control model (NACM) [RFC8341] provides the means 2220 to restrict access for particular users to a pre-configured subset of 2221 all available protocol operations and content. 2223 Since this module only define groupings, these considerations are 2224 primarily for the designers of other modules that use these 2225 groupings. 2227 None of the readable data nodes defined in this YANG module are 2228 considered sensitive or vulnerable in network environments. The NACM 2229 "default-deny-all" extension has not been set for any data nodes 2230 defined in this module. 2232 None of the writable data nodes defined in this YANG module are 2233 considered sensitive or vulnerable in network environments. The NACM 2234 "default-deny-write" extension has not been set for any data nodes 2235 defined in this module. 2237 This module does not define any RPCs, actions, or notifications, and 2238 thus the security consideration for such is not provided here. 2240 5.6. The "ietf-ssh-client" YANG Module 2242 The "ietf-ssh-client" YANG module defines "grouping" statements that 2243 are designed to be accessed via YANG based management protocols, such 2244 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2245 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2246 with mutual authentication. 2248 The NETCONF access control model (NACM) [RFC8341] provides the means 2249 to restrict access for particular users to a pre-configured subset of 2250 all available protocol operations and content. 2252 Since this module only define groupings, these considerations are 2253 primarily for the designers of other modules that use these 2254 groupings. 2256 One readable data node defined in this YANG module may be considered 2257 sensitive or vulnerable in some network environments. This node is 2258 as follows: 2260 * The "client-identity/password" node: 2262 The cleartext "password" node defined in the "ssh-client- 2263 grouping" grouping is additionally sensitive to read operations 2264 such that, in normal use cases, it should never be returned to 2265 a client. For this reason, the NACM extension "default-deny- 2266 all" has been applied to it. 2268 | Please be aware that this module uses the "key" and "private- 2269 | key" nodes from the "ietf-crypto-types" module 2270 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2271 | extension "default-deny-all" set, thus preventing unrestricted 2272 | read-access to the cleartext key values. 2274 All the writable data nodes defined by this module may be considered 2275 sensitive or vulnerable in some network environments. For instance, 2276 any modification to a key or reference to a key may dramatically 2277 alter the implemented security policy. For this reason, the NACM 2278 extension "default-deny-write" has been set for all data nodes 2279 defined in this module. 2281 This module does not define any RPCs, actions, or notifications, and 2282 thus the security consideration for such is not provided here. 2284 5.7. The "ietf-ssh-server" YANG Module 2286 The "ietf-ssh-server" YANG module defines "grouping" statements that 2287 are designed to be accessed via YANG based management protocols, such 2288 as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols 2289 have mandatory-to-implement secure transport layers (e.g., SSH, TLS) 2290 with mutual authentication. 2292 The NETCONF access control model (NACM) [RFC8341] provides the means 2293 to restrict access for particular users to a pre-configured subset of 2294 all available protocol operations and content. 2296 Since this module only define groupings, these considerations are 2297 primarily for the designers of other modules that use these 2298 groupings. 2300 None of the readable data nodes defined in this YANG module are 2301 considered sensitive or vulnerable in network environments. The NACM 2302 "default-deny-all" extension has not been set for any data nodes 2303 defined in this module. 2305 | Please be aware that this module uses the "key" and "private- 2306 | key" nodes from the "ietf-crypto-types" module 2307 | [I-D.ietf-netconf-crypto-types], where said nodes have the NACM 2308 | extension "default-deny-all" set, thus preventing unrestricted 2309 | read-access to the cleartext key values. 2311 All the writable data nodes defined by this module may be considered 2312 sensitive or vulnerable in some network environments. For instance, 2313 the addition or removal of references to keys, certificates, trusted 2314 anchors, etc., or even the modification of transport or keepalive 2315 parameters can dramatically alter the implemented security policy. 2316 For this reason, the NACM extension "default-deny-write" has been set 2317 for all data nodes defined in this module. 2319 This module does not define any RPCs, actions, or notifications, and 2320 thus the security consideration for such is not provided here. 2322 6. IANA Considerations 2324 6.1. The "IETF XML" Registry 2326 This document registers seven URIs in the "ns" subregistry of the 2327 IETF XML Registry [RFC3688]. Following the format in [RFC3688], the 2328 following registrations are requested: 2330 URI: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs 2331 Registrant Contact: IANA 2332 XML: N/A, the requested URI is an XML namespace. 2334 URI: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs 2335 Registrant Contact: IANA 2336 XML: N/A, the requested URI is an XML namespace. 2338 URI: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs 2339 Registrant Contact: IANA 2340 XML: N/A, the requested URI is an XML namespace. 2342 URI: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs 2343 Registrant Contact: IANA 2344 XML: N/A, the requested URI is an XML namespace. 2346 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-common 2347 Registrant Contact: The IESG 2348 XML: N/A, the requested URI is an XML namespace. 2350 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-client 2351 Registrant Contact: The IESG 2352 XML: N/A, the requested URI is an XML namespace. 2354 URI: urn:ietf:params:xml:ns:yang:ietf-ssh-server 2355 Registrant Contact: The IESG 2356 XML: N/A, the requested URI is an XML namespace. 2358 6.2. The "YANG Module Names" Registry 2360 This document registers seven YANG modules in the YANG Module Names 2361 registry [RFC6020]. Following the format in [RFC6020], the following 2362 registrations are requested: 2364 name: iana-ssh-key-exchange-algs 2365 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs 2366 prefix: sshkea 2367 reference: RFC EEEE 2369 name: iana-ssh-encryption-algs 2370 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs 2371 prefix: sshea 2372 reference: RFC EEEE 2374 name: iana-ssh-mac-algs 2375 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs 2376 prefix: sshma 2377 reference: RFC EEEE 2379 name: iana-ssh-public-key-algs 2380 namespace: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs 2381 prefix: sshpka 2382 reference: RFC EEEE 2384 name: ietf-ssh-common 2385 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-common 2386 prefix: sshcmn 2387 reference: RFC EEEE 2389 name: ietf-ssh-client 2390 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-client 2391 prefix: sshc 2392 reference: RFC EEEE 2394 name: ietf-ssh-server 2395 namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-server 2396 prefix: sshs 2397 reference: RFC EEEE 2399 6.3. The "iana-ssh-encryption-algs" Module 2401 IANA is requested to maintain a YANG module called "iana-ssh- 2402 encryption-algs" that shadows the "Encryption Algorithm Names" sub- 2403 registry of the "Secure Shell (SSH) Protocol Parameters" registry 2404 [IANA-ENC-ALGS]. 2406 This registry defines a YANG identity for each encryption algorithm, 2407 and a "base" identity from which all of the other identities are 2408 derived. 2410 An initial version of this module can be found in Appendix A.1 2411 * Please note that this module was created on June 1st, 2021, and 2412 that additional entries may have been added in the interim before 2413 this document's publication. If this is that case, IANA may 2414 either publish just an updated module containing the new entries, 2415 or publish the initial module as is immediately followed by a 2416 "revision" containing the additional algorithm names. 2418 6.4. The "iana-ssh-mac-algs" Module 2420 IANA is requested to maintain a YANG module called "iana-ssh-mac- 2421 algs" that shadows the "MAC Algorithm Names" sub-registry of the 2422 "Secure Shell (SSH) Protocol Parameters" registry [IANA-MAC-ALGS]. 2424 This registry defines a YANG identity for each MAC algorithm, and a 2425 "base" identity from which all of the other identities are derived. 2427 An initial version of this module can be found in Appendix A.2. 2429 * Please note that this module was created on June 1st, 2021, and 2430 that additional entries may have been added in the interim before 2431 this document's publication. If this is that case, IANA may 2432 either publish just an updated module containing the new entries, 2433 or publish the initial module as is immediately followed by a 2434 "revision" containing the additional algorithm names. 2436 6.5. The "iana-ssh-public-key-algs" Module 2438 IANA is requested to maintain a YANG module called "iana-ssh-public- 2439 key-algs" that shadows the "Public Key Algorithm Names" sub-registry 2440 of the "Secure Shell (SSH) Protocol Parameters" registry 2441 [IANA-PUBKEY-ALGS]. 2443 This registry defines a YANG identity for each public key algorithm, 2444 and a "base" identity from which all of the other identities are 2445 derived. 2447 Registry entries for which the '*All values beginning with the 2448 specified string and not containing "@".' note applies MUST be 2449 expanded so that there is a distinct YANG identity for each 2450 enumeration. 2452 An initial version of this module can be found in Appendix A.3. 2454 * Please note that this module was created on June 1st, 2021, and 2455 that additional entries may have been added in the interim before 2456 this document's publication. If this is that case, IANA may 2457 either publish just an updated module containing the new entries, 2458 or publish the initial module as is immediately followed by a 2459 "revision" containing the additional algorithm names. 2461 6.6. The "iana-ssh-key-exchange-algs" Module 2463 IANA is requested to maintain a YANG module called "iana-ssh-key- 2464 exchange-algs" that shadows the "Key Exchange Method Names" sub- 2465 registry of the "Secure Shell (SSH) Protocol Parameters" registry 2466 [IANA-KEYEX-ALGS]. 2468 This registry defines a YANG identity for each key exchange 2469 algortihm, and a "base" identity from which all of the other 2470 identities are derived. 2472 Registry entries for which the '*All values beginning with the 2473 specified string and not containing "@".' note applies MUST be 2474 expanded so that there is a distinct YANG identity for each 2475 enumeration. 2477 An initial version of this module can be found in Appendix A.4. 2479 * Please note that this module was created on June 1st, 2021, and 2480 that additional entries may have been added in the interim before 2481 this document's publication. If this is that case, IANA may 2482 either publish just an updated module containing the new entries, 2483 or publish the initial module as is immediately followed by a 2484 "revision" containing the additional algorithm names. 2486 * Please also note that the "status" statement has been set to 2487 "deprecated" https://datatracker.ietf.org/doc/html/ 2488 rfc8732#section-6. It is recommended that IANA adds a column to 2489 the registry to more easily track the deprecation status of 2490 algorithms. 2492 7. References 2494 7.1. Normative References 2496 [I-D.ietf-netconf-crypto-types] 2497 Watsen, K., "YANG Data Types and Groupings for 2498 Cryptography", Work in Progress, Internet-Draft, draft- 2499 ietf-netconf-crypto-types-22, 7 March 2022, 2500 . 2503 [I-D.ietf-netconf-keystore] 2504 Watsen, K., "A YANG Data Model for a Keystore", Work in 2505 Progress, Internet-Draft, draft-ietf-netconf-keystore-24, 2506 7 March 2022, . 2509 [I-D.ietf-netconf-trust-anchors] 2510 Watsen, K., "A YANG Data Model for a Truststore", Work in 2511 Progress, Internet-Draft, draft-ietf-netconf-trust- 2512 anchors-17, 7 March 2022, 2513 . 2516 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2517 Requirement Levels", BCP 14, RFC 2119, 2518 DOI 10.17487/RFC2119, March 1997, 2519 . 2521 [RFC4344] Bellare, M., Kohno, T., and C. Namprempre, "The Secure 2522 Shell (SSH) Transport Layer Encryption Modes", RFC 4344, 2523 DOI 10.17487/RFC4344, January 2006, 2524 . 2526 [RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman 2527 Group Exchange for the Secure Shell (SSH) Transport Layer 2528 Protocol", RFC 4419, DOI 10.17487/RFC4419, March 2006, 2529 . 2531 [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm 2532 Integration in the Secure Shell Transport Layer", 2533 RFC 5656, DOI 10.17487/RFC5656, December 2009, 2534 . 2536 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2537 the Network Configuration Protocol (NETCONF)", RFC 6020, 2538 DOI 10.17487/RFC6020, October 2010, 2539 . 2541 [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure 2542 Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, 2543 March 2011, . 2545 [RFC6668] Bider, D. and M. Baushke, "SHA-2 Data Integrity 2546 Verification for the Secure Shell (SSH) Transport Layer 2547 Protocol", RFC 6668, DOI 10.17487/RFC6668, July 2012, 2548 . 2550 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2551 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2552 . 2554 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2555 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2556 May 2017, . 2558 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2559 Access Control Model", STD 91, RFC 8341, 2560 DOI 10.17487/RFC8341, March 2018, 2561 . 2563 7.2. Informative References 2565 [I-D.ietf-netconf-http-client-server] 2566 Watsen, K., "YANG Groupings for HTTP Clients and HTTP 2567 Servers", Work in Progress, Internet-Draft, draft-ietf- 2568 netconf-http-client-server-09, 7 March 2022, 2569 . 2572 [I-D.ietf-netconf-netconf-client-server] 2573 Watsen, K., "NETCONF Client and Server Models", Work in 2574 Progress, Internet-Draft, draft-ietf-netconf-netconf- 2575 client-server-25, 7 March 2022, 2576 . 2579 [I-D.ietf-netconf-restconf-client-server] 2580 Watsen, K., "RESTCONF Client and Server Models", Work in 2581 Progress, Internet-Draft, draft-ietf-netconf-restconf- 2582 client-server-25, 7 March 2022, 2583 . 2586 [I-D.ietf-netconf-ssh-client-server] 2587 Watsen, K., "YANG Groupings for SSH Clients and SSH 2588 Servers", Work in Progress, Internet-Draft, draft-ietf- 2589 netconf-ssh-client-server-27, 7 March 2022, 2590 . 2593 [I-D.ietf-netconf-tcp-client-server] 2594 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients 2595 and TCP Servers", Work in Progress, Internet-Draft, draft- 2596 ietf-netconf-tcp-client-server-12, 7 March 2022, 2597 . 2600 [I-D.ietf-netconf-tls-client-server] 2601 Watsen, K., "YANG Groupings for TLS Clients and TLS 2602 Servers", Work in Progress, Internet-Draft, draft-ietf- 2603 netconf-tls-client-server-27, 7 March 2022, 2604 . 2607 [IANA-ENC-ALGS] 2608 (IANA), I. A. N. A., "IANA "Encryption Algorithm Names" 2609 Sub-registry of the "Secure Shell (SSH) Protocol 2610 Parameters" Registry", . 2613 [IANA-KEYEX-ALGS] 2614 (IANA), I. A. N. A., "IANA "Key Exchange Method Names" 2615 Sub-registry of the "Secure Shell (SSH) Protocol 2616 Parameters" Registry", . 2619 [IANA-MAC-ALGS] 2620 (IANA), I. A. N. A., "IANA "MAC Algorithm Names" Sub- 2621 registry of the "Secure Shell (SSH) Protocol Parameters" 2622 Registry", . 2625 [IANA-PUBKEY-ALGS] 2626 (IANA), I. A. N. A., "IANA "Public Key Algorithm Names" 2627 Sub-registry of the "Secure Shell (SSH) Protocol 2628 Parameters" Registry", . 2631 [OPENSSH] Project, T. O., "OpenSSH", . 2633 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2634 DOI 10.17487/RFC3688, January 2004, 2635 . 2637 [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 2638 Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, 2639 January 2006, . 2641 [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 2642 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, 2643 January 2006, . 2645 [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 2646 Connection Protocol", RFC 4254, DOI 10.17487/RFC4254, 2647 January 2006, . 2649 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2650 and A. Bierman, Ed., "Network Configuration Protocol 2651 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2652 . 2654 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2655 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2656 . 2658 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 2659 System Management", RFC 7317, DOI 10.17487/RFC7317, August 2660 2014, . 2662 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2663 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2664 . 2666 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", 2667 RFC 8071, DOI 10.17487/RFC8071, February 2017, 2668 . 2670 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2671 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2672 . 2674 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 2675 and R. Wilton, "Network Management Datastore Architecture 2676 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 2677 . 2679 Appendix A. YANG Modules for IANA 2681 The modules contained in this section were generated by scripts using 2682 the contents of the associated sub-registry as they existed on June 2683 1st, 2021. 2685 A.1. Initial Module for the "Encryption Algorithm Names" Registry 2686 A.1.1. Data Model Overview 2688 This section provides an overview of the "iana-ssh-encryption-algs" 2689 module in terms of its identities and protocol-accessible nodes. 2691 A.1.1.1. Identities 2693 The following diagram lists the base "identity" statements defined in 2694 the module, of which there is just one, and illustrates that all the 2695 derived identity statements are generated from the associated IANA- 2696 maintained registry [IANA-ENC-ALGS]. 2698 Identities: 2699 +-- encryption-alg-base 2700 +-- 2702 | The diagram above uses syntax that is similar to but not 2703 | defined in [RFC8340]. 2705 A.1.1.2. Typedefs 2707 The following diagram illustrates the "typedef" statements defined in 2708 the "iana-ssh-encryption-algs" module: 2710 Typedefs: 2711 identityref 2712 +-- encryption-algorithm-ref 2714 | The diagram above uses syntax that is similar to but not 2715 | defined in [RFC8340]. 2717 Comments: 2719 * The typedef defined in the "iana-ssh-encryption-algs" module 2720 extends the "identityref" type defined in [RFC7950]. 2722 A.1.1.3. Protocol-accessible Nodes 2724 The following tree diagram [RFC8340] lists all the protocol- 2725 accessible nodes defined in the "iana-ssh-encryption-algs" module: 2727 module: iana-ssh-encryption-algs 2728 +--ro supported-algorithms 2729 +--ro supported-algorithm* encryption-algorithm-ref 2731 Comments: 2733 * Protocol-accessible nodes are those nodes that are accessible when 2734 the module is "implemented", as described in Section 5.6.5 of 2735 [RFC7950]. 2737 A.1.2. Example Usage 2739 The following example illustrates operational state data indicating 2740 the SSH encryption algorithms supported by the server: 2742 2745 sshea:aes256-ctr 2746 sshea:aes256-cbc 2747 sshea:twofish256-cbc 2748 sshea:serpent256-cbc 2749 sshea:arcfour256 2750 sshea:serpent256-ctr 2751 sshea:aead-aes-256-gcm 2752 2754 A.1.3. YANG Module 2756 Following are the complete contents to the initial IANA-maintained 2757 YANG module. Please note that the date "2021-06-01" reflects the day 2758 on which the extraction occurred. 2760 file "iana-ssh-encryption-algs@2021-06-01.yang" 2762 module iana-ssh-encryption-algs { 2763 yang-version 1.1; 2764 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs"; 2765 prefix sshea; 2767 organization 2768 "Internet Assigned Numbers Authority (IANA)"; 2770 contact 2771 "Postal: ICANN 2772 12025 Waterfront Drive, Suite 300 2773 Los Angeles, CA 90094-2536 2774 United States of America 2775 Tel: +1 310 301 5800 2776 Email: iana@iana.org"; 2778 description 2779 "This module defines identities for the encryption algorithms 2780 defined in the 'Encryption Algorithm Names' sub-registry of the 2781 'Secure Shell (SSH) Protocol Parameters' registry maintained 2782 by IANA. 2784 Copyright (c) 2021 IETF Trust and the persons identified as 2785 authors of the code. All rights reserved. 2787 Redistribution and use in source and binary forms, with 2788 or without modification, is permitted pursuant to, and 2789 subject to the license terms contained in, the Revised 2790 BSD License set forth in Section 4.c of the IETF Trust's 2791 Legal Provisions Relating to IETF Documents 2792 (https://trustee.ietf.org/license-info). 2794 The initial version of this YANG module is part of RFC EEEE 2795 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 2796 itself for full legal notices."; 2798 revision 2021-06-01 { 2799 description 2800 "Initial version"; 2801 reference 2802 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 2803 } 2805 // Typedefs 2807 typedef encryption-algorithm-ref { 2808 type identityref { 2809 base "encryption-alg-base"; 2810 } 2811 description 2812 "A reference to a SSH encryption algorithm identifier."; 2813 } 2815 // Identities 2817 identity encryption-alg-base { 2818 description 2819 "Base identity used to identify encryption algorithms."; 2820 } 2822 identity triple-des-cbc { // YANG IDs cannot begin with a number 2823 base encryption-alg-base; 2824 description 2825 "3DES-CBC"; 2826 reference 2827 "RFC 4253: 2829 The Secure Shell (SSH) Transport Layer Protocol"; 2830 } 2832 identity blowfish-cbc { 2833 base encryption-alg-base; 2834 description 2835 "BLOWFISH-CBC"; 2836 reference 2837 "RFC 4253: 2838 The Secure Shell (SSH) Transport Layer Protocol"; 2839 } 2841 identity twofish256-cbc { 2842 base encryption-alg-base; 2843 description 2844 "TWOFISH256-CBC"; 2845 reference 2846 "RFC 4253: 2847 The Secure Shell (SSH) Transport Layer Protocol"; 2848 } 2850 identity twofish-cbc { 2851 base encryption-alg-base; 2852 description 2853 "TWOFISH-CBC"; 2854 reference 2855 "RFC 4253: 2856 The Secure Shell (SSH) Transport Layer Protocol"; 2857 } 2859 identity twofish192-cbc { 2860 base encryption-alg-base; 2861 description 2862 "TWOFISH192-CBC"; 2863 reference 2864 "RFC 4253: 2865 The Secure Shell (SSH) Transport Layer Protocol"; 2866 } 2868 identity twofish128-cbc { 2869 base encryption-alg-base; 2870 description 2871 "TWOFISH128-CBC"; 2872 reference 2873 "RFC 4253: 2874 The Secure Shell (SSH) Transport Layer Protocol"; 2875 } 2876 identity aes256-cbc { 2877 base encryption-alg-base; 2878 description 2879 "AES256-CBC"; 2880 reference 2881 "RFC 4253: 2882 The Secure Shell (SSH) Transport Layer Protocol"; 2883 } 2885 identity aes192-cbc { 2886 base encryption-alg-base; 2887 description 2888 "AES192-CBC"; 2889 reference 2890 "RFC 4253: 2891 The Secure Shell (SSH) Transport Layer Protocol"; 2892 } 2894 identity aes128-cbc { 2895 base encryption-alg-base; 2896 description 2897 "AES128-CBC"; 2898 reference 2899 "RFC 4253: 2900 The Secure Shell (SSH) Transport Layer Protocol"; 2901 } 2903 identity serpent256-cbc { 2904 base encryption-alg-base; 2905 description 2906 "SERPENT256-CBC"; 2907 reference 2908 "RFC 4253: 2909 The Secure Shell (SSH) Transport Layer Protocol"; 2910 } 2912 identity serpent192-cbc { 2913 base encryption-alg-base; 2914 description 2915 "SERPENT192-CBC"; 2916 reference 2917 "RFC 4253: 2918 The Secure Shell (SSH) Transport Layer Protocol"; 2919 } 2921 identity serpent128-cbc { 2922 base encryption-alg-base; 2923 description 2924 "SERPENT128-CBC"; 2925 reference 2926 "RFC 4253: 2927 The Secure Shell (SSH) Transport Layer Protocol"; 2928 } 2930 identity arcfour { 2931 base encryption-alg-base; 2932 status obsolete; 2933 description 2934 "ARCFOUR"; 2935 reference 2936 "RFC 8758: 2937 Deprecating RC4 in Secure Shell (SSH)"; 2938 } 2940 identity idea-cbc { 2941 base encryption-alg-base; 2942 description 2943 "IDEA-CBC"; 2944 reference 2945 "RFC 4253: 2946 The Secure Shell (SSH) Transport Layer Protocol"; 2947 } 2949 identity cast128-cbc { 2950 base encryption-alg-base; 2951 description 2952 "CAST128-CBC"; 2953 reference 2954 "RFC 4253: 2955 The Secure Shell (SSH) Transport Layer Protocol"; 2956 } 2958 identity none { 2959 base encryption-alg-base; 2960 description 2961 "NONE"; 2962 reference 2963 "RFC 4253: 2964 The Secure Shell (SSH) Transport Layer Protocol"; 2965 } 2967 identity des-cbc { 2968 base encryption-alg-base; 2969 status obsolete; 2970 description 2971 "DES-CBC"; 2973 reference 2974 "FIPS 46-3: 2975 Data Encryption Standard (DES)"; 2976 } 2978 identity arcfour128 { 2979 base encryption-alg-base; 2980 status obsolete; 2981 description 2982 "ARCFOUR128"; 2983 reference 2984 "RFC 8758: 2985 Deprecating RC4 in Secure Shell (SSH)"; 2986 } 2988 identity arcfour256 { 2989 base encryption-alg-base; 2990 status obsolete; 2991 description 2992 "ARCFOUR256"; 2993 reference 2994 "RFC 8758: 2995 Deprecating RC4 in Secure Shell (SSH)"; 2996 } 2998 identity aes128-ctr { 2999 base encryption-alg-base; 3000 description 3001 "AES128-CTR"; 3002 reference 3003 "RFC 4344: 3004 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3005 } 3007 identity aes192-ctr { 3008 base encryption-alg-base; 3009 description 3010 "AES192-CTR"; 3011 reference 3012 "RFC 4344: 3013 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3014 } 3016 identity aes256-ctr { 3017 base encryption-alg-base; 3018 description 3019 "AES256-CTR"; 3020 reference 3021 "RFC 4344: 3022 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3023 } 3025 identity triple-des-ctr { // YANG IDs cannot begin with a number 3026 base encryption-alg-base; 3027 description 3028 "3DES-CTR"; 3029 reference 3030 "RFC 4344: 3031 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3032 } 3034 identity blowfish-ctr { 3035 base encryption-alg-base; 3036 description 3037 "BLOWFISH-CTR"; 3038 reference 3039 "RFC 4344: 3040 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3041 } 3043 identity twofish128-ctr { 3044 base encryption-alg-base; 3045 description 3046 "TWOFISH128-CTR"; 3047 reference 3048 "RFC 4344: 3049 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3050 } 3052 identity twofish192-ctr { 3053 base encryption-alg-base; 3054 description 3055 "TWOFISH192-CTR"; 3056 reference 3057 "RFC 4344: 3058 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3059 } 3061 identity twofish256-ctr { 3062 base encryption-alg-base; 3063 description 3064 "TWOFISH256-CTR"; 3065 reference 3066 "RFC 4344: 3067 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3068 } 3069 identity serpent128-ctr { 3070 base encryption-alg-base; 3071 description 3072 "SERPENT128-CTR"; 3073 reference 3074 "RFC 4344: 3075 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3076 } 3078 identity serpent192-ctr { 3079 base encryption-alg-base; 3080 description 3081 "SERPENT192-CTR"; 3082 reference 3083 "RFC 4344: 3084 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3085 } 3087 identity serpent256-ctr { 3088 base encryption-alg-base; 3089 description 3090 "SERPENT256-CTR"; 3091 reference 3092 "RFC 4344: 3093 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3094 } 3096 identity idea-ctr { 3097 base encryption-alg-base; 3098 description 3099 "IDEA-CTR"; 3100 reference 3101 "RFC 4344: 3102 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3103 } 3105 identity cast128-ctr { 3106 base encryption-alg-base; 3107 description 3108 "CAST128-CTR"; 3109 reference 3110 "RFC 4344: 3111 The Secure Shell (SSH) Transport Layer Encryption Modes"; 3112 } 3114 identity aead-aes-128-gcm { 3115 base encryption-alg-base; 3116 description 3117 "AEAD_AES_128_GCM"; 3118 reference 3119 "RFC 5647: 3120 AES Galois Counter Mode for the 3121 Secure Shell Transport Layer Protocol"; 3122 } 3124 identity aead-aes-256-gcm { 3125 base encryption-alg-base; 3126 description 3127 "AEAD_AES_256_GCM"; 3128 reference 3129 "RFC 5647: 3130 AES Galois Counter Mode for the 3131 Secure Shell Transport Layer Protocol"; 3132 } 3134 // Protocol-accessible Nodes 3136 container supported-algorithms { 3137 config false; 3138 description 3139 "A container for a list of encryption algorithms 3140 supported by the server."; 3141 leaf-list supported-algorithm { 3142 type encryption-algorithm-ref; 3143 description 3144 "A encryption algorithm supported by the server."; 3145 } 3146 } 3148 } 3150 3152 A.2. Initial Module for the "MAC Algorithm Names" Registry 3154 A.2.1. Data Model Overview 3156 This section provides an overview of the "iana-ssh-mac-algs" module 3157 in terms of its identities and protocol-accessible nodes. 3159 A.2.1.1. Identities 3161 The following diagram lists the base "identity" statements defined in 3162 the module, of which there is just one, and illustrates that all the 3163 derived identity statements are generated from the associated IANA- 3164 maintained registry [IANA-MAC-ALGS]. 3166 Identities: 3167 +-- mac-alg-base 3168 +-- 3170 | The diagram above uses syntax that is similar to but not 3171 | defined in [RFC8340]. 3173 A.2.1.2. Typedefs 3175 The following diagram illustrates the "typedef" statements defined in 3176 the "iana-ssh-mac-algs" module: 3178 Typedefs: 3179 identityref 3180 +-- mac-algorithm-ref 3182 | The diagram above uses syntax that is similar to but not 3183 | defined in [RFC8340]. 3185 Comments: 3187 * The typedef defined in the "iana-ssh-mac-algs" module extends the 3188 "identityref" type defined in [RFC7950]. 3190 A.2.1.3. Protocol-accessible Nodes 3192 The following tree diagram [RFC8340] lists all the protocol- 3193 accessible nodes defined in the "iana-ssh-mac-algs" module: 3195 module: iana-ssh-mac-algs 3196 +--ro supported-algorithms 3197 +--ro supported-algorithm* mac-algorithm-ref 3199 Comments: 3201 * Protocol-accessible nodes are those nodes that are accessible when 3202 the module is "implemented", as described in Section 5.6.5 of 3203 [RFC7950]. 3205 A.2.2. Example Usage 3207 The following example illustrates operational state data indicating 3208 the SSH MAC algorithms supported by the server: 3210 3213 sshma:hmac-sha2-256 3214 sshma:hmac-sha2-512 3215 sshma:aead-aes-256-gcm 3216 3218 A.2.3. YANG Module 3220 Following are the complete contents to the initial IANA-maintained 3221 YANG module. Please note that the date "2021-06-01" reflects the day 3222 on which the extraction occurred. 3224 file "iana-ssh-mac-algs@2021-06-01.yang" 3226 module iana-ssh-mac-algs { 3227 yang-version 1.1; 3228 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs"; 3229 prefix sshma; 3231 organization 3232 "Internet Assigned Numbers Authority (IANA)"; 3234 contact 3235 "Postal: ICANN 3236 12025 Waterfront Drive, Suite 300 3237 Los Angeles, CA 90094-2536 3238 United States of America 3239 Tel: +1 310 301 5800 3240 Email: iana@iana.org"; 3242 description 3243 "This module defines identities for the MAC algorithms 3244 defined in the 'MAC Algorithm Names' sub-registry of the 3245 'Secure Shell (SSH) Protocol Parameters' registry maintained 3246 by IANA. 3248 Copyright (c) 2021 IETF Trust and the persons identified as 3249 authors of the code. All rights reserved. 3251 Redistribution and use in source and binary forms, with 3252 or without modification, is permitted pursuant to, and 3253 subject to the license terms contained in, the Revised 3254 BSD License set forth in Section 4.c of the IETF Trust's 3255 Legal Provisions Relating to IETF Documents 3256 (https://trustee.ietf.org/license-info). 3258 The initial version of this YANG module is part of RFC EEEE 3259 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 3260 itself for full legal notices."; 3262 revision 2021-06-01 { 3263 description 3264 "Initial version"; 3265 reference 3266 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 3267 } 3269 // Typedefs 3271 typedef mac-algorithm-ref { 3272 type identityref { 3273 base "mac-alg-base"; 3274 } 3275 description 3276 "A reference to a SSH mac algorithm identifier."; 3277 } 3279 // Identities 3281 identity mac-alg-base { 3282 description 3283 "Base identity used to identify message authentication 3284 code (MAC) algorithms."; 3285 } 3287 identity hmac-sha1 { 3288 base mac-alg-base; 3289 description 3290 "HMAC-SHA1"; 3291 reference 3292 "RFC 4253: 3293 The Secure Shell (SSH) Transport Layer Protocol"; 3294 } 3296 identity hmac-sha1-96 { 3297 base mac-alg-base; 3298 description 3299 "HMAC-SHA1-96"; 3300 reference 3301 "RFC 4253: 3302 The Secure Shell (SSH) Transport Layer Protocol"; 3303 } 3304 identity hmac-md5 { 3305 base mac-alg-base; 3306 description 3307 "HMAC-MD5"; 3308 reference 3309 "RFC 4253: 3310 The Secure Shell (SSH) Transport Layer Protocol"; 3311 } 3313 identity hmac-md5-96 { 3314 base mac-alg-base; 3315 description 3316 "HMAC-MD5-96"; 3317 reference 3318 "RFC 4253: 3319 The Secure Shell (SSH) Transport Layer Protocol"; 3320 } 3322 identity none { 3323 base mac-alg-base; 3324 description 3325 "NONE"; 3326 reference 3327 "RFC 4253: 3328 The Secure Shell (SSH) Transport Layer Protocol"; 3329 } 3331 identity aead-aes-128-gcm { 3332 base mac-alg-base; 3333 description 3334 "AEAD_AES_128_GCM"; 3335 reference 3336 "RFC 5647: 3337 AES Galois Counter Mode for the 3338 Secure Shell Transport Layer Protocol"; 3339 } 3341 identity aead-aes-256-gcm { 3342 base mac-alg-base; 3343 description 3344 "AEAD_AES_256_GCM"; 3345 reference 3346 "RFC 5647: 3347 AES Galois Counter Mode for the 3348 Secure Shell Transport Layer Protocol"; 3349 } 3351 identity hmac-sha2-256 { 3352 base mac-alg-base; 3353 description 3354 "HMAC-SHA2-256"; 3355 reference 3356 "RFC 6668: 3357 SHA-2 Data Integrity Verification for the 3358 Secure Shell (SSH) Transport Layer Protocol"; 3359 } 3361 identity hmac-sha2-512 { 3362 base mac-alg-base; 3363 description 3364 "HMAC-SHA2-512"; 3365 reference 3366 "RFC 6668: 3367 SHA-2 Data Integrity Verification for the 3368 Secure Shell (SSH) Transport Layer Protocol"; 3369 } 3371 // Protocol-accessible Nodes 3373 container supported-algorithms { 3374 config false; 3375 description 3376 "A container for a list of MAC algorithms 3377 supported by the server."; 3378 leaf-list supported-algorithm { 3379 type mac-algorithm-ref; 3380 description 3381 "A MAC algorithm supported by the server."; 3382 } 3383 } 3385 } 3387 3389 A.3. Initial Module for the "Public Key Algorithm Names" Registry 3391 A.3.1. Data Model Overview 3393 This section provides an overview of the "iana-ssh-public-key-algs" 3394 module in terms of its identities and protocol-accessible nodes. 3396 A.3.1.1. Identities 3398 The following diagram lists the base "identity" statements defined in 3399 the module, of which there is just one, and illustrates that all the 3400 derived identity statements are generated from the associated IANA- 3401 maintained registry [IANA-PUBKEY-ALGS]. 3403 Identities: 3404 +-- public-key-alg-base 3405 +-- 3407 | The diagram above uses syntax that is similar to but not 3408 | defined in [RFC8340]. 3410 A.3.1.2. Typedefs 3412 The following diagram illustrates the "typedef" statements defined in 3413 the "iana-ssh-public-key-algs" module: 3415 Typedefs: 3416 identityref 3417 +-- public-key-algorithm-ref 3419 | The diagram above uses syntax that is similar to but not 3420 | defined in [RFC8340]. 3422 Comments: 3424 * The typedef defined in the "iana-ssh-public-key-algs" module 3425 extends the "identityref" type defined in [RFC7950]. 3427 A.3.1.3. Protocol-accessible Nodes 3429 The following tree diagram [RFC8340] lists all the protocol- 3430 accessible nodes defined in the "iana-ssh-public-key-algs" module: 3432 module: iana-ssh-public-key-algs 3433 +--ro supported-algorithms 3434 +--ro supported-algorithm* public-key-algorithm-ref 3436 Comments: 3438 * Protocol-accessible nodes are those nodes that are accessible when 3439 the module is "implemented", as described in Section 5.6.5 of 3440 [RFC7950]. 3442 A.3.2. Example Usage 3444 The following example illustrates operational state data indicating 3445 the SSH public key algorithms supported by the server: 3447 =============== NOTE: '\' line wrapping per RFC 8792 ================ 3449 3453 sshpka:rsa-sha2-256 3454 sshpka:rsa-sha2-512 3455 sshpka:spki-sign-rsa 3456 sshpka:pgp-sign-dss 3457 sshpka:x509v3-rsa2048-sha256 3459 sshpka:ecdsa-sha2-nistp256 3461 sshpka:ecdsa-sha2-1.3.132.0.37 3463 sshpka:ssh-ed25519 3464 3466 A.3.3. YANG Module 3468 Following are the complete contents to the initial IANA-maintained 3469 YANG module. Please note that the date "2021-06-01" reflects the day 3470 on which the extraction occurred. 3472 file "iana-ssh-public-key-algs@2021-06-01.yang" 3474 module iana-ssh-public-key-algs { 3475 yang-version 1.1; 3476 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs"; 3477 prefix sshpka; 3479 organization 3480 "Internet Assigned Numbers Authority (IANA)"; 3482 contact 3483 "Postal: ICANN 3484 12025 Waterfront Drive, Suite 300 3485 Los Angeles, CA 90094-2536 3486 United States of America 3487 Tel: +1 310 301 5800 3488 Email: iana@iana.org"; 3490 description 3491 "This module defines identities for the public key algorithms 3492 defined in the 'Public Key Algorithm Names' sub-registry of the 3493 'Secure Shell (SSH) Protocol Parameters' registry maintained 3494 by IANA. 3496 Copyright (c) 2021 IETF Trust and the persons identified as 3497 authors of the code. All rights reserved. 3499 Redistribution and use in source and binary forms, with 3500 or without modification, is permitted pursuant to, and 3501 subject to the license terms contained in, the Revised 3502 BSD License set forth in Section 4.c of the IETF Trust's 3503 Legal Provisions Relating to IETF Documents 3504 (https://trustee.ietf.org/license-info). 3506 The initial version of this YANG module is part of RFC EEEE 3507 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 3508 itself for full legal notices."; 3510 revision 2021-06-01 { 3511 description 3512 "Initial version"; 3513 reference 3514 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 3515 } 3517 // Typedefs 3519 typedef public-key-algorithm-ref { 3520 type identityref { 3521 base "public-key-alg-base"; 3522 } 3523 description 3524 "A reference to a SSH public key algorithm identifier."; 3525 } 3527 // Identities 3529 identity public-key-alg-base { 3530 description 3531 "Base identity used to identify public key algorithms."; 3532 } 3534 identity ssh-dss { 3535 base public-key-alg-base; 3536 description 3537 "SSH-DSS"; 3538 reference 3539 "RFC 4253: 3540 The Secure Shell (SSH) Transport Layer Protocol"; 3541 } 3543 identity ssh-rsa { 3544 base public-key-alg-base; 3545 description 3546 "SSH-RSA"; 3547 reference 3548 "RFC 4253: 3549 The Secure Shell (SSH) Transport Layer Protocol"; 3550 } 3552 identity rsa-sha2-256 { 3553 base public-key-alg-base; 3554 description 3555 "RSA-SHA2-256"; 3556 reference 3557 "RFC 8332: 3558 Use of RSA Keys with SHA-256 and SHA-512 3559 in the Secure Shell (SSH) Protocol"; 3560 } 3562 identity rsa-sha2-512 { 3563 base public-key-alg-base; 3564 description 3565 "RSA-SHA2-512"; 3566 reference 3567 "RFC 8332: 3568 Use of RSA Keys with SHA-256 and SHA-512 3569 in the Secure Shell (SSH) Protocol"; 3570 } 3572 identity spki-sign-rsa { 3573 base public-key-alg-base; 3574 description 3575 "SPKI-SIGN-RSA"; 3576 reference 3577 "RFC 4253: 3578 The Secure Shell (SSH) Transport Layer Protocol"; 3579 } 3581 identity spki-sign-dss { 3582 base public-key-alg-base; 3583 description 3584 "SPKI-SIGN-DSS"; 3586 reference 3587 "RFC 4253: 3588 The Secure Shell (SSH) Transport Layer Protocol"; 3589 } 3591 identity pgp-sign-rsa { 3592 base public-key-alg-base; 3593 description 3594 "PGP-SIGN-RSA"; 3595 reference 3596 "RFC 4253: 3597 The Secure Shell (SSH) Transport Layer Protocol"; 3598 } 3600 identity pgp-sign-dss { 3601 base public-key-alg-base; 3602 description 3603 "PGP-SIGN-DSS"; 3604 reference 3605 "RFC 4253: 3606 The Secure Shell (SSH) Transport Layer Protocol"; 3607 } 3609 identity null { 3610 base public-key-alg-base; 3611 description 3612 "NULL"; 3613 reference 3614 "RFC 4462: 3615 Generic Security Service Application Program Interface 3616 (GSS-API) Authentication and Key Exchange for the 3617 Secure Shell (SSH) Protocol"; 3618 } 3620 identity ecdsa-sha2-nistp256 { 3621 base public-key-alg-base; 3622 description 3623 "ECDSA-SHA2-NISTP256 (secp256r1)"; 3624 reference 3625 "RFC 5656: 3626 Elliptic Curve Algorithm Integration in the 3627 Secure Shell Transport Layer"; 3628 } 3630 identity ecdsa-sha2-nistp384 { 3631 base public-key-alg-base; 3632 description 3633 "ECDSA-SHA2-NISTP384 (secp384r1)"; 3635 reference 3636 "RFC 5656: 3637 Elliptic Curve Algorithm Integration in the 3638 Secure Shell Transport Layer"; 3639 } 3641 identity ecdsa-sha2-nistp521 { 3642 base public-key-alg-base; 3643 description 3644 "ECDSA-SHA2-NISTP521 (secp521r1)"; 3645 reference 3646 "RFC 5656: 3647 Elliptic Curve Algorithm Integration in the 3648 Secure Shell Transport Layer"; 3649 } 3651 identity ecdsa-sha2-1.3.132.0.1 { 3652 base public-key-alg-base; 3653 description 3654 "ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)"; 3655 reference 3656 "RFC 5656: 3657 Elliptic Curve Algorithm Integration in the 3658 Secure Shell Transport Layer"; 3659 } 3661 identity ecdsa-sha2-1.2.840.10045.3.1.1 { 3662 base public-key-alg-base; 3663 description 3664 "ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 3665 reference 3666 "RFC 5656: 3667 Elliptic Curve Algorithm Integration in the 3668 Secure Shell Transport Layer"; 3669 } 3671 identity ecdsa-sha2-1.3.132.0.33 { 3672 base public-key-alg-base; 3673 description 3674 "ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)"; 3675 reference 3676 "RFC 5656: 3677 Elliptic Curve Algorithm Integration in the 3678 Secure Shell Transport Layer"; 3679 } 3681 identity ecdsa-sha2-1.3.132.0.26 { 3682 base public-key-alg-base; 3683 description 3684 "ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)"; 3685 reference 3686 "RFC 5656: 3687 Elliptic Curve Algorithm Integration in the 3688 Secure Shell Transport Layer"; 3689 } 3691 identity ecdsa-sha2-1.3.132.0.27 { 3692 base public-key-alg-base; 3693 description 3694 "ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)"; 3695 reference 3696 "RFC 5656: 3697 Elliptic Curve Algorithm Integration in the 3698 Secure Shell Transport Layer"; 3699 } 3701 identity ecdsa-sha2-1.3.132.0.16 { 3702 base public-key-alg-base; 3703 description 3704 "ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)"; 3705 reference 3706 "RFC 5656: 3707 Elliptic Curve Algorithm Integration in the 3708 Secure Shell Transport Layer"; 3709 } 3711 identity ecdsa-sha2-1.3.132.0.36 { 3712 base public-key-alg-base; 3713 description 3714 "ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)"; 3715 reference 3716 "RFC 5656: 3717 Elliptic Curve Algorithm Integration in the 3718 Secure Shell Transport Layer"; 3719 } 3721 identity ecdsa-sha2-1.3.132.0.37 { 3722 base public-key-alg-base; 3723 description 3724 "ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)"; 3725 reference 3726 "RFC 5656: 3727 Elliptic Curve Algorithm Integration in the 3728 Secure Shell Transport Layer"; 3729 } 3730 identity ecdsa-sha2-1.3.132.0.38 { 3731 base public-key-alg-base; 3732 description 3733 "ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)"; 3734 reference 3735 "RFC 5656: 3736 Elliptic Curve Algorithm Integration in the 3737 Secure Shell Transport Layer"; 3738 } 3740 identity x509v3-ssh-dss { 3741 base public-key-alg-base; 3742 description 3743 "X509V3-SSH-DSS"; 3744 reference 3745 "RFC 6187: 3746 X.509v3 Certificates for Secure Shell Authentication"; 3747 } 3749 identity x509v3-ssh-rsa { 3750 base public-key-alg-base; 3751 description 3752 "X509V3-SSH-RSA"; 3753 reference 3754 "RFC 6187: 3755 X.509v3 Certificates for Secure Shell Authentication"; 3756 } 3758 identity x509v3-rsa2048-sha256 { 3759 base public-key-alg-base; 3760 description 3761 "X509V3-RSA2048-SHA256"; 3762 reference 3763 "RFC 6187: 3764 X.509v3 Certificates for Secure Shell Authentication"; 3765 } 3767 identity x509v3-ecdsa-sha2-nistp256 { 3768 base public-key-alg-base; 3769 description 3770 "X509V3-ECDSA-SHA2-NISTP256 (secp256r1)"; 3771 reference 3772 "RFC 6187: 3773 X.509v3 Certificates for Secure Shell Authentication"; 3774 } 3776 identity x509v3-ecdsa-sha2-nistp384 { 3777 base public-key-alg-base; 3778 description 3779 "X509V3-ECDSA-SHA2-NISTP384 (secp384r1)"; 3780 reference 3781 "RFC 6187: 3782 X.509v3 Certificates for Secure Shell Authentication"; 3783 } 3785 identity x509v3-ecdsa-sha2-nistp521 { 3786 base public-key-alg-base; 3787 description 3788 "X509V3-ECDSA-SHA2-NISTP521 (secp521r1)"; 3789 reference 3790 "RFC 6187: 3791 X.509v3 Certificates for Secure Shell Authentication"; 3792 } 3794 identity x509v3-ecdsa-sha2-1.3.132.0.1 { 3795 base public-key-alg-base; 3796 description 3797 "X509V3-ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)"; 3798 reference 3799 "RFC 6187: 3800 X.509v3 Certificates for Secure Shell Authentication"; 3801 } 3803 identity x509v3-ecdsa-sha2-1.2.840.10045.3.1.1 { 3804 base public-key-alg-base; 3805 description 3806 "X509V3-ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 3807 reference 3808 "RFC 6187: 3809 X.509v3 Certificates for Secure Shell Authentication"; 3810 } 3812 identity x509v3-ecdsa-sha2-1.3.132.0.33 { 3813 base public-key-alg-base; 3814 description 3815 "X509V3-ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)"; 3816 reference 3817 "RFC 6187: 3818 X.509v3 Certificates for Secure Shell Authentication"; 3819 } 3821 identity x509v3-ecdsa-sha2-1.3.132.0.26 { 3822 base public-key-alg-base; 3823 description 3824 "X509V3-ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)"; 3825 reference 3826 "RFC 6187: 3827 X.509v3 Certificates for Secure Shell Authentication"; 3828 } 3830 identity x509v3-ecdsa-sha2-1.3.132.0.27 { 3831 base public-key-alg-base; 3832 description 3833 "X509V3-ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)"; 3834 reference 3835 "RFC 6187: 3836 X.509v3 Certificates for Secure Shell Authentication"; 3837 } 3839 identity x509v3-ecdsa-sha2-1.3.132.0.16 { 3840 base public-key-alg-base; 3841 description 3842 "X509V3-ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)"; 3843 reference 3844 "RFC 6187: 3845 X.509v3 Certificates for Secure Shell Authentication"; 3846 } 3848 identity x509v3-ecdsa-sha2-1.3.132.0.36 { 3849 base public-key-alg-base; 3850 description 3851 "X509V3-ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)"; 3852 reference 3853 "RFC 6187: 3854 X.509v3 Certificates for Secure Shell Authentication"; 3855 } 3857 identity x509v3-ecdsa-sha2-1.3.132.0.37 { 3858 base public-key-alg-base; 3859 description 3860 "X509V3-ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)"; 3861 reference 3862 "RFC 6187: 3863 X.509v3 Certificates for Secure Shell Authentication"; 3864 } 3866 identity x509v3-ecdsa-sha2-1.3.132.0.38 { 3867 base public-key-alg-base; 3868 description 3869 "X509V3-ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)"; 3870 reference 3871 "RFC 6187: 3872 X.509v3 Certificates for Secure Shell Authentication"; 3873 } 3874 identity ssh-ed25519 { 3875 base public-key-alg-base; 3876 description 3877 "SSH-ED25519"; 3878 reference 3879 "RFC 8709: 3880 Ed25519 and Ed448 Public Key Algorithms for the 3881 Secure Shell (SSH) Protocol"; 3882 } 3884 identity ssh-ed448 { 3885 base public-key-alg-base; 3886 description 3887 "SSH-ED448"; 3888 reference 3889 "RFC 8709: 3890 Ed25519 and Ed448 Public Key Algorithms for the 3891 Secure Shell (SSH) Protocol"; 3892 } 3894 // Protocol-accessible Nodes 3896 container supported-algorithms { 3897 config false; 3898 description 3899 "A container for a list of public key algorithms 3900 supported by the server."; 3901 leaf-list supported-algorithm { 3902 type public-key-algorithm-ref; 3903 description 3904 "A public key algorithm supported by the server."; 3905 } 3906 } 3908 } 3910 3912 A.4. Initial Module for the "Key Exchange Method Names" Registry 3914 A.4.1. Data Model Overview 3916 This section provides an overview of the "iana-ssh-key-exchange-algs" 3917 module in terms of its identities and protocol-accessible nodes. 3919 A.4.1.1. Identities 3921 The following diagram lists the base "identity" statements defined in 3922 the module, of which there is just one, and illustrates that all the 3923 derived identity statements are generated from the associated IANA- 3924 maintained registry [IANA-KEYEX-ALGS]. 3926 Identities: 3927 +-- key-exchange-alg-base 3928 +-- 3930 | The diagram above uses syntax that is similar to but not 3931 | defined in [RFC8340]. 3933 A.4.1.2. Typedefs 3935 The following diagram illustrates the "typedef" statements defined in 3936 the "iana-ssh-key-exchange-algs" module: 3938 Typedefs: 3939 identityref 3940 +-- key-exchange-algorithm-ref 3942 | The diagram above uses syntax that is similar to but not 3943 | defined in [RFC8340]. 3945 Comments: 3947 * The typedef defined in the "iana-ssh-key-exchange-algs" module 3948 extends the "identityref" type defined in [RFC7950]. 3950 A.4.1.3. Protocol-accessible Nodes 3952 The following tree diagram [RFC8340] lists all the protocol- 3953 accessible nodes defined in the "iana-ssh-key-exchange-algs" module: 3955 module: iana-ssh-key-exchange-algs 3956 +--ro supported-algorithms 3957 +--ro supported-algorithm* key-exchange-algorithm-ref 3959 Comments: 3961 * Protocol-accessible nodes are those nodes that are accessible when 3962 the module is "implemented", as described in Section 5.6.5 of 3963 [RFC7950]. 3965 A.4.2. Example Usage 3967 The following example illustrates operational state data indicating 3968 the SSH key exchange algorithms supported by the server: 3970 =============== NOTE: '\' line wrapping per RFC 8792 ================ 3972 3976 sshkea:diffie-hellman-group-exchange-sha256 3978 sshkea:ecdh-sha2-nistp256 3980 sshkea:rsa2048-sha256 3981 sshkea:gss-group1-sha1-curve25519-sha256 3983 sshkea:gss-group14-sha1-nistp256 3985 sshkea:gss-gex-sha1-nistp256 3987 sshkea:gss-group14-sha256-1.2.840.10045.3.1.1\ 3988 3989 sshkea:curve25519-sha256 3990 3992 A.4.3. YANG Module 3994 Following are the complete contents to the initial IANA-maintained 3995 YANG module. Please note that the date "2021-06-01" reflects the day 3996 on which the extraction occurred. 3998 file "iana-ssh-key-exchange-algs@2021-06-01.yang" 4000 module iana-ssh-key-exchange-algs { 4001 yang-version 1.1; 4002 namespace "urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs"; 4003 prefix sshkea; 4005 organization 4006 "Internet Assigned Numbers Authority (IANA)"; 4008 contact 4009 "Postal: ICANN 4010 12025 Waterfront Drive, Suite 300 4011 Los Angeles, CA 90094-2536 4012 United States of America 4014 Tel: +1 310 301 5800 4015 Email: iana@iana.org"; 4017 description 4018 "This module defines identities for the key exchange algorithms 4019 defined in the 'Key Exchange Method Names' sub-registry of the 4020 'Secure Shell (SSH) Protocol Parameters' registry maintained 4021 by IANA. 4023 Copyright (c) 2021 IETF Trust and the persons identified 4024 as authors of the code. All rights reserved. 4026 Redistribution and use in source and binary forms, with 4027 or without modification, is permitted pursuant to, and 4028 subject to the license terms contained in, the Revised 4029 BSD License set forth in Section 4.c of the IETF Trust's 4030 Legal Provisions Relating to IETF Documents 4031 (https://trustee.ietf.org/license-info). 4033 The initial version of this YANG module is part of RFC EEEE 4034 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC 4035 itself for full legal notices."; 4037 revision 2021-06-01 { 4038 description 4039 "Initial version"; 4040 reference 4041 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; 4042 } 4044 // Typedefs 4046 typedef key-exchange-algorithm-ref { 4047 type identityref { 4048 base "key-exchange-alg-base"; 4049 } 4050 description 4051 "A reference to a SSH key exchange algorithm identifier."; 4052 } 4054 // Identities 4056 identity key-exchange-alg-base { 4057 description 4058 "Base identity used to identify key exchange algorithms."; 4059 } 4060 identity diffie-hellman-group-exchange-sha1 { 4061 base key-exchange-alg-base; 4062 description 4063 "DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1"; 4064 reference 4065 "RFC 4419: 4066 Diffie-Hellman Group Exchange for the 4067 Secure Shell (SSH) Transport Layer Protocol"; 4068 } 4070 identity diffie-hellman-group-exchange-sha256 { 4071 base key-exchange-alg-base; 4072 description 4073 "DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256"; 4074 reference 4075 "RFC 4419: 4076 Diffie-Hellman Group Exchange for the 4077 Secure Shell (SSH) Transport Layer Protocol"; 4078 } 4080 identity diffie-hellman-group1-sha1 { 4081 base key-exchange-alg-base; 4082 description 4083 "DIFFIE-HELLMAN-GROUP1-SHA1"; 4084 reference 4085 "RFC 4253: 4086 The Secure Shell (SSH) Transport Layer Protocol"; 4087 } 4089 identity diffie-hellman-group14-sha1 { 4090 base key-exchange-alg-base; 4091 description 4092 "DIFFIE-HELLMAN-GROUP14-SHA1"; 4093 reference 4094 "RFC 4253: 4095 The Secure Shell (SSH) Transport Layer Protocol"; 4096 } 4098 identity diffie-hellman-group14-sha256 { 4099 base key-exchange-alg-base; 4100 description 4101 "DIFFIE-HELLMAN-GROUP14-SHA256"; 4102 reference 4103 "RFC 8268: 4104 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 4105 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 4106 } 4107 identity diffie-hellman-group15-sha512 { 4108 base key-exchange-alg-base; 4109 description 4110 "DIFFIE-HELLMAN-GROUP15-SHA512"; 4111 reference 4112 "RFC 8268: 4113 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 4114 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 4115 } 4117 identity diffie-hellman-group16-sha512 { 4118 base key-exchange-alg-base; 4119 description 4120 "DIFFIE-HELLMAN-GROUP16-SHA512"; 4121 reference 4122 "RFC 8268: 4123 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 4124 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 4125 } 4127 identity diffie-hellman-group17-sha512 { 4128 base key-exchange-alg-base; 4129 description 4130 "DIFFIE-HELLMAN-GROUP17-SHA512"; 4131 reference 4132 "RFC 8268: 4133 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 4134 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 4135 } 4137 identity diffie-hellman-group18-sha512 { 4138 base key-exchange-alg-base; 4139 description 4140 "DIFFIE-HELLMAN-GROUP18-SHA512"; 4141 reference 4142 "RFC 8268: 4143 More Modular Exponentiation (MODP) Diffie-Hellman (DH) 4144 Key Exchange (KEX) Groups for Secure Shell (SSH)"; 4145 } 4147 identity ecdh-sha2-nistp256 { 4148 base key-exchange-alg-base; 4149 description 4150 "ECDH-SHA2-NISTP256 (secp256r1)"; 4151 reference 4152 "RFC 5656: 4153 Elliptic Curve Algorithm Integration in the 4154 Secure Shell Transport Layer"; 4156 } 4158 identity ecdh-sha2-nistp384 { 4159 base key-exchange-alg-base; 4160 description 4161 "ECDH-SHA2-NISTP384 (secp384r1)"; 4162 reference 4163 "RFC 5656: 4164 Elliptic Curve Algorithm Integration in the 4165 Secure Shell Transport Layer"; 4166 } 4168 identity ecdh-sha2-nistp521 { 4169 base key-exchange-alg-base; 4170 description 4171 "ECDH-SHA2-NISTP521 (secp521r1)"; 4172 reference 4173 "RFC 5656: 4174 Elliptic Curve Algorithm Integration in the 4175 Secure Shell Transport Layer"; 4176 } 4178 identity ecdh-sha2-1.3.132.0.1 { 4179 base key-exchange-alg-base; 4180 description 4181 "ECDH-SHA2-1.3.132.0.1 (nistk163, sect163k1)"; 4182 reference 4183 "RFC 5656: 4184 Elliptic Curve Algorithm Integration in the 4185 Secure Shell Transport Layer"; 4186 } 4188 identity ecdh-sha2-1.2.840.10045.3.1.1 { 4189 base key-exchange-alg-base; 4190 description 4191 "ECDH-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4192 reference 4193 "RFC 5656: 4194 Elliptic Curve Algorithm Integration in the 4195 Secure Shell Transport Layer"; 4196 } 4198 identity ecdh-sha2-1.3.132.0.33 { 4199 base key-exchange-alg-base; 4200 description 4201 "ECDH-SHA2-1.3.132.0.33 (nistp224, secp224r1)"; 4202 reference 4203 "RFC 5656: 4205 Elliptic Curve Algorithm Integration in the 4206 Secure Shell Transport Layer"; 4207 } 4209 identity ecdh-sha2-1.3.132.0.26 { 4210 base key-exchange-alg-base; 4211 description 4212 "ECDH-SHA2-1.3.132.0.26 (nistk233, sect233k1)"; 4213 reference 4214 "RFC 5656: 4215 Elliptic Curve Algorithm Integration in the 4216 Secure Shell Transport Layer"; 4217 } 4219 identity ecdh-sha2-1.3.132.0.27 { 4220 base key-exchange-alg-base; 4221 description 4222 "ECDH-SHA2-1.3.132.0.27 (nistb233, sect233r1)"; 4223 reference 4224 "RFC 5656: 4225 Elliptic Curve Algorithm Integration in the 4226 Secure Shell Transport Layer"; 4227 } 4229 identity ecdh-sha2-1.3.132.0.16 { 4230 base key-exchange-alg-base; 4231 description 4232 "ECDH-SHA2-1.3.132.0.16 (nistk283, sect283k1)"; 4233 reference 4234 "RFC 5656: 4235 Elliptic Curve Algorithm Integration in the 4236 Secure Shell Transport Layer"; 4237 } 4239 identity ecdh-sha2-1.3.132.0.36 { 4240 base key-exchange-alg-base; 4241 description 4242 "ECDH-SHA2-1.3.132.0.36 (nistk409, sect409k1)"; 4243 reference 4244 "RFC 5656: 4245 Elliptic Curve Algorithm Integration in the 4246 Secure Shell Transport Layer"; 4247 } 4249 identity ecdh-sha2-1.3.132.0.37 { 4250 base key-exchange-alg-base; 4251 description 4252 "ECDH-SHA2-1.3.132.0.37 (nistb409, sect409r1)"; 4254 reference 4255 "RFC 5656: 4256 Elliptic Curve Algorithm Integration in the 4257 Secure Shell Transport Layer"; 4258 } 4260 identity ecdh-sha2-1.3.132.0.38 { 4261 base key-exchange-alg-base; 4262 description 4263 "ECDH-SHA2-1.3.132.0.38 (nistt571, sect571k1)"; 4264 reference 4265 "RFC 5656: 4266 Elliptic Curve Algorithm Integration in the 4267 Secure Shell Transport Layer"; 4268 } 4270 identity ecmqv-sha2 { 4271 base key-exchange-alg-base; 4272 description 4273 "ECMQV-SHA2"; 4274 reference 4275 "RFC 5656: 4276 Elliptic Curve Algorithm Integration in the 4277 Secure Shell Transport Layer"; 4278 } 4280 identity gss-group1-sha1-nistp256 { 4281 base key-exchange-alg-base; 4282 status deprecated; 4283 description 4284 "GSS-GROUP1-SHA1-NISTP256 (secp256r1)"; 4285 reference 4286 "RFC 8732: 4287 Generic Security Service Application Program Interface 4288 (GSS-API) Key Exchange with SHA-2"; 4289 } 4291 identity gss-group1-sha1-nistp384 { 4292 base key-exchange-alg-base; 4293 status deprecated; 4294 description 4295 "GSS-GROUP1-SHA1-NISTP384 (secp384r1)"; 4296 reference 4297 "RFC 8732: 4298 Generic Security Service Application Program Interface 4299 (GSS-API) Key Exchange with SHA-2"; 4300 } 4301 identity gss-group1-sha1-nistp521 { 4302 base key-exchange-alg-base; 4303 status deprecated; 4304 description 4305 "GSS-GROUP1-SHA1-NISTP521 (secp521r1)"; 4306 reference 4307 "RFC 8732: 4308 Generic Security Service Application Program Interface 4309 (GSS-API) Key Exchange with SHA-2"; 4310 } 4312 identity gss-group1-sha1-1.3.132.0.1 { 4313 base key-exchange-alg-base; 4314 status deprecated; 4315 description 4316 "GSS-GROUP1-SHA1-1.3.132.0.1 (nistk163, sect163k1)"; 4317 reference 4318 "RFC 8732: 4319 Generic Security Service Application Program Interface 4320 (GSS-API) Key Exchange with SHA-2"; 4321 } 4323 identity gss-group1-sha1-1.2.840.10045.3.1.1 { 4324 base key-exchange-alg-base; 4325 status deprecated; 4326 description 4327 "GSS-GROUP1-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4328 reference 4329 "RFC 8732: 4330 Generic Security Service Application Program Interface 4331 (GSS-API) Key Exchange with SHA-2"; 4332 } 4334 identity gss-group1-sha1-1.3.132.0.33 { 4335 base key-exchange-alg-base; 4336 status deprecated; 4337 description 4338 "GSS-GROUP1-SHA1-1.3.132.0.33 (nistp224, secp224r1)"; 4339 reference 4340 "RFC 8732: 4341 Generic Security Service Application Program Interface 4342 (GSS-API) Key Exchange with SHA-2"; 4343 } 4345 identity gss-group1-sha1-1.3.132.0.26 { 4346 base key-exchange-alg-base; 4347 status deprecated; 4348 description 4349 "GSS-GROUP1-SHA1-1.3.132.0.26 (nistk233, sect233k1)"; 4350 reference 4351 "RFC 8732: 4352 Generic Security Service Application Program Interface 4353 (GSS-API) Key Exchange with SHA-2"; 4354 } 4356 identity gss-group1-sha1-1.3.132.0.27 { 4357 base key-exchange-alg-base; 4358 status deprecated; 4359 description 4360 "GSS-GROUP1-SHA1-1.3.132.0.27 (nistb233, sect233r1)"; 4361 reference 4362 "RFC 8732: 4363 Generic Security Service Application Program Interface 4364 (GSS-API) Key Exchange with SHA-2"; 4365 } 4367 identity gss-group1-sha1-1.3.132.0.16 { 4368 base key-exchange-alg-base; 4369 status deprecated; 4370 description 4371 "GSS-GROUP1-SHA1-1.3.132.0.16 (nistk283, sect283k1)"; 4372 reference 4373 "RFC 8732: 4374 Generic Security Service Application Program Interface 4375 (GSS-API) Key Exchange with SHA-2"; 4376 } 4378 identity gss-group1-sha1-1.3.132.0.36 { 4379 base key-exchange-alg-base; 4380 status deprecated; 4381 description 4382 "GSS-GROUP1-SHA1-1.3.132.0.36 (nistk409, sect409k1)"; 4383 reference 4384 "RFC 8732: 4385 Generic Security Service Application Program Interface 4386 (GSS-API) Key Exchange with SHA-2"; 4387 } 4389 identity gss-group1-sha1-1.3.132.0.37 { 4390 base key-exchange-alg-base; 4391 status deprecated; 4392 description 4393 "GSS-GROUP1-SHA1-1.3.132.0.37 (nistb409, sect409r1)"; 4394 reference 4395 "RFC 8732: 4396 Generic Security Service Application Program Interface 4397 (GSS-API) Key Exchange with SHA-2"; 4398 } 4400 identity gss-group1-sha1-1.3.132.0.38 { 4401 base key-exchange-alg-base; 4402 status deprecated; 4403 description 4404 "GSS-GROUP1-SHA1-1.3.132.0.38 (nistt571, sect571k1)"; 4405 reference 4406 "RFC 8732: 4407 Generic Security Service Application Program Interface 4408 (GSS-API) Key Exchange with SHA-2"; 4409 } 4411 identity gss-group1-sha1-curve25519-sha256 { 4412 base key-exchange-alg-base; 4413 status deprecated; 4414 description 4415 "GSS-GROUP1-SHA1-CURVE25519-SHA256"; 4416 reference 4417 "RFC 8732: 4418 Generic Security Service Application Program Interface 4419 (GSS-API) Key Exchange with SHA-2"; 4420 } 4422 identity gss-group1-sha1-curve448-sha512 { 4423 base key-exchange-alg-base; 4424 status deprecated; 4425 description 4426 "GSS-GROUP1-SHA1-CURVE448-SHA512"; 4427 reference 4428 "RFC 8732: 4429 Generic Security Service Application Program Interface 4430 (GSS-API) Key Exchange with SHA-2"; 4431 } 4433 identity gss-group14-sha1-nistp256 { 4434 base key-exchange-alg-base; 4435 status deprecated; 4436 description 4437 "GSS-GROUP14-SHA1-NISTP256 (secp256r1)"; 4438 reference 4439 "RFC 8732: 4440 Generic Security Service Application Program Interface 4441 (GSS-API) Key Exchange with SHA-2"; 4442 } 4444 identity gss-group14-sha1-nistp384 { 4445 base key-exchange-alg-base; 4446 status deprecated; 4447 description 4448 "GSS-GROUP14-SHA1-NISTP384 (secp384r1)"; 4449 reference 4450 "RFC 8732: 4451 Generic Security Service Application Program Interface 4452 (GSS-API) Key Exchange with SHA-2"; 4453 } 4455 identity gss-group14-sha1-nistp521 { 4456 base key-exchange-alg-base; 4457 status deprecated; 4458 description 4459 "GSS-GROUP14-SHA1-NISTP521 (secp521r1)"; 4460 reference 4461 "RFC 8732: 4462 Generic Security Service Application Program Interface 4463 (GSS-API) Key Exchange with SHA-2"; 4464 } 4466 identity gss-group14-sha1-1.3.132.0.1 { 4467 base key-exchange-alg-base; 4468 status deprecated; 4469 description 4470 "GSS-GROUP14-SHA1-1.3.132.0.1 (nistk163, sect163k1)"; 4471 reference 4472 "RFC 8732: 4473 Generic Security Service Application Program Interface 4474 (GSS-API) Key Exchange with SHA-2"; 4475 } 4477 identity gss-group14-sha1-1.2.840.10045.3.1.1 { 4478 base key-exchange-alg-base; 4479 status deprecated; 4480 description 4481 "GSS-GROUP14-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4482 reference 4483 "RFC 8732: 4484 Generic Security Service Application Program Interface 4485 (GSS-API) Key Exchange with SHA-2"; 4486 } 4488 identity gss-group14-sha1-1.3.132.0.33 { 4489 base key-exchange-alg-base; 4490 status deprecated; 4491 description 4492 "GSS-GROUP14-SHA1-1.3.132.0.33 (nistp224, secp224r1)"; 4494 reference 4495 "RFC 8732: 4496 Generic Security Service Application Program Interface 4497 (GSS-API) Key Exchange with SHA-2"; 4498 } 4500 identity gss-group14-sha1-1.3.132.0.26 { 4501 base key-exchange-alg-base; 4502 status deprecated; 4503 description 4504 "GSS-GROUP14-SHA1-1.3.132.0.26 (nistk233, sect233k1)"; 4505 reference 4506 "RFC 8732: 4507 Generic Security Service Application Program Interface 4508 (GSS-API) Key Exchange with SHA-2"; 4509 } 4511 identity gss-group14-sha1-1.3.132.0.27 { 4512 base key-exchange-alg-base; 4513 status deprecated; 4514 description 4515 "GSS-GROUP14-SHA1-1.3.132.0.27 (nistb233, sect233r1)"; 4516 reference 4517 "RFC 8732: 4518 Generic Security Service Application Program Interface 4519 (GSS-API) Key Exchange with SHA-2"; 4520 } 4522 identity gss-group14-sha1-1.3.132.0.16 { 4523 base key-exchange-alg-base; 4524 status deprecated; 4525 description 4526 "GSS-GROUP14-SHA1-1.3.132.0.16 (nistk283, sect283k1)"; 4527 reference 4528 "RFC 8732: 4529 Generic Security Service Application Program Interface 4530 (GSS-API) Key Exchange with SHA-2"; 4531 } 4533 identity gss-group14-sha1-1.3.132.0.36 { 4534 base key-exchange-alg-base; 4535 status deprecated; 4536 description 4537 "GSS-GROUP14-SHA1-1.3.132.0.36 (nistk409, sect409k1)"; 4538 reference 4539 "RFC 8732: 4540 Generic Security Service Application Program Interface 4541 (GSS-API) Key Exchange with SHA-2"; 4543 } 4545 identity gss-group14-sha1-1.3.132.0.37 { 4546 base key-exchange-alg-base; 4547 status deprecated; 4548 description 4549 "GSS-GROUP14-SHA1-1.3.132.0.37 (nistb409, sect409r1)"; 4550 reference 4551 "RFC 8732: 4552 Generic Security Service Application Program Interface 4553 (GSS-API) Key Exchange with SHA-2"; 4554 } 4556 identity gss-group14-sha1-1.3.132.0.38 { 4557 base key-exchange-alg-base; 4558 status deprecated; 4559 description 4560 "GSS-GROUP14-SHA1-1.3.132.0.38 (nistt571, sect571k1)"; 4561 reference 4562 "RFC 8732: 4563 Generic Security Service Application Program Interface 4564 (GSS-API) Key Exchange with SHA-2"; 4565 } 4567 identity gss-group14-sha1-curve25519-sha256 { 4568 base key-exchange-alg-base; 4569 status deprecated; 4570 description 4571 "GSS-GROUP14-SHA1-CURVE25519-SHA256"; 4572 reference 4573 "RFC 8732: 4574 Generic Security Service Application Program Interface 4575 (GSS-API) Key Exchange with SHA-2"; 4576 } 4578 identity gss-group14-sha1-curve448-sha512 { 4579 base key-exchange-alg-base; 4580 status deprecated; 4581 description 4582 "GSS-GROUP14-SHA1-CURVE448-SHA512"; 4583 reference 4584 "RFC 8732: 4585 Generic Security Service Application Program Interface 4586 (GSS-API) Key Exchange with SHA-2"; 4587 } 4589 identity gss-gex-sha1-nistp256 { 4590 base key-exchange-alg-base; 4591 status deprecated; 4592 description 4593 "GSS-GEX-SHA1-NISTP256 (secp256r1)"; 4594 reference 4595 "RFC 8732: 4596 Generic Security Service Application Program Interface 4597 (GSS-API) Key Exchange with SHA-2"; 4598 } 4600 identity gss-gex-sha1-nistp384 { 4601 base key-exchange-alg-base; 4602 status deprecated; 4603 description 4604 "GSS-GEX-SHA1-NISTP384 (secp384r1)"; 4605 reference 4606 "RFC 8732: 4607 Generic Security Service Application Program Interface 4608 (GSS-API) Key Exchange with SHA-2"; 4609 } 4611 identity gss-gex-sha1-nistp521 { 4612 base key-exchange-alg-base; 4613 status deprecated; 4614 description 4615 "GSS-GEX-SHA1-NISTP521 (secp521r1)"; 4616 reference 4617 "RFC 8732: 4618 Generic Security Service Application Program Interface 4619 (GSS-API) Key Exchange with SHA-2"; 4620 } 4622 identity gss-gex-sha1-1.3.132.0.1 { 4623 base key-exchange-alg-base; 4624 status deprecated; 4625 description 4626 "GSS-GEX-SHA1-1.3.132.0.1 (nistk163, sect163k1)"; 4627 reference 4628 "RFC 8732: 4629 Generic Security Service Application Program Interface 4630 (GSS-API) Key Exchange with SHA-2"; 4631 } 4633 identity gss-gex-sha1-1.2.840.10045.3.1.1 { 4634 base key-exchange-alg-base; 4635 status deprecated; 4636 description 4637 "GSS-GEX-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4638 reference 4639 "RFC 8732: 4640 Generic Security Service Application Program Interface 4641 (GSS-API) Key Exchange with SHA-2"; 4642 } 4644 identity gss-gex-sha1-1.3.132.0.33 { 4645 base key-exchange-alg-base; 4646 status deprecated; 4647 description 4648 "GSS-GEX-SHA1-1.3.132.0.33 (nistp224, secp224r1)"; 4649 reference 4650 "RFC 8732: 4651 Generic Security Service Application Program Interface 4652 (GSS-API) Key Exchange with SHA-2"; 4653 } 4655 identity gss-gex-sha1-1.3.132.0.26 { 4656 base key-exchange-alg-base; 4657 status deprecated; 4658 description 4659 "GSS-GEX-SHA1-1.3.132.0.26 (nistk233, sect233k1)"; 4660 reference 4661 "RFC 8732: 4662 Generic Security Service Application Program Interface 4663 (GSS-API) Key Exchange with SHA-2"; 4664 } 4666 identity gss-gex-sha1-1.3.132.0.27 { 4667 base key-exchange-alg-base; 4668 status deprecated; 4669 description 4670 "GSS-GEX-SHA1-1.3.132.0.27 (nistb233, sect233r1)"; 4671 reference 4672 "RFC 8732: 4673 Generic Security Service Application Program Interface 4674 (GSS-API) Key Exchange with SHA-2"; 4675 } 4677 identity gss-gex-sha1-1.3.132.0.16 { 4678 base key-exchange-alg-base; 4679 status deprecated; 4680 description 4681 "GSS-GEX-SHA1-1.3.132.0.16 (nistk283, sect283k1)"; 4682 reference 4683 "RFC 8732: 4684 Generic Security Service Application Program Interface 4685 (GSS-API) Key Exchange with SHA-2"; 4686 } 4687 identity gss-gex-sha1-1.3.132.0.36 { 4688 base key-exchange-alg-base; 4689 status deprecated; 4690 description 4691 "GSS-GEX-SHA1-1.3.132.0.36 (nistk409, sect409k1)"; 4692 reference 4693 "RFC 8732: 4694 Generic Security Service Application Program Interface 4695 (GSS-API) Key Exchange with SHA-2"; 4696 } 4698 identity gss-gex-sha1-1.3.132.0.37 { 4699 base key-exchange-alg-base; 4700 status deprecated; 4701 description 4702 "GSS-GEX-SHA1-1.3.132.0.37 (nistb409, sect409r1)"; 4703 reference 4704 "RFC 8732: 4705 Generic Security Service Application Program Interface 4706 (GSS-API) Key Exchange with SHA-2"; 4707 } 4709 identity gss-gex-sha1-1.3.132.0.38 { 4710 base key-exchange-alg-base; 4711 status deprecated; 4712 description 4713 "GSS-GEX-SHA1-1.3.132.0.38 (nistt571, sect571k1)"; 4714 reference 4715 "RFC 8732: 4716 Generic Security Service Application Program Interface 4717 (GSS-API) Key Exchange with SHA-2"; 4718 } 4720 identity gss-gex-sha1-curve25519-sha256 { 4721 base key-exchange-alg-base; 4722 status deprecated; 4723 description 4724 "GSS-GEX-SHA1-CURVE25519-SHA256"; 4725 reference 4726 "RFC 8732: 4727 Generic Security Service Application Program Interface 4728 (GSS-API) Key Exchange with SHA-2"; 4729 } 4731 identity gss-gex-sha1-curve448-sha512 { 4732 base key-exchange-alg-base; 4733 status deprecated; 4734 description 4735 "GSS-GEX-SHA1-CURVE448-SHA512"; 4736 reference 4737 "RFC 8732: 4738 Generic Security Service Application Program Interface 4739 (GSS-API) Key Exchange with SHA-2"; 4740 } 4742 identity rsa1024-sha1 { 4743 base key-exchange-alg-base; 4744 description 4745 "RSA1024-SHA1"; 4746 reference 4747 "RFC 4432: 4748 RSA Key Exchange for the Secure Shell (SSH) 4749 Transport Layer Protocol"; 4750 } 4752 identity rsa2048-sha256 { 4753 base key-exchange-alg-base; 4754 description 4755 "RSA2048-SHA256"; 4756 reference 4757 "RFC 4432: 4758 RSA Key Exchange for the Secure Shell (SSH) 4759 Transport Layer Protocol"; 4760 } 4762 identity ext-info-s { 4763 base key-exchange-alg-base; 4764 description 4765 "EXT-INFO-S"; 4766 reference 4767 "RFC 8308: 4768 Extension Negotiation in the Secure Shell (SSH) Protocol"; 4769 } 4771 identity ext-info-c { 4772 base key-exchange-alg-base; 4773 description 4774 "EXT-INFO-C"; 4775 reference 4776 "RFC 8308: 4777 Extension Negotiation in the Secure Shell (SSH) Protocol"; 4778 } 4780 identity gss-group14-sha256-nistp256 { 4781 base key-exchange-alg-base; 4782 description 4783 "GSS-GROUP14-SHA256-NISTP256 (secp256r1)"; 4784 reference 4785 "RFC 8732: 4786 Generic Security Service Application Program Interface 4787 (GSS-API) Key Exchange with SHA-2"; 4788 } 4790 identity gss-group14-sha256-nistp384 { 4791 base key-exchange-alg-base; 4792 description 4793 "GSS-GROUP14-SHA256-NISTP384 (secp384r1)"; 4794 reference 4795 "RFC 8732: 4796 Generic Security Service Application Program Interface 4797 (GSS-API) Key Exchange with SHA-2"; 4798 } 4800 identity gss-group14-sha256-nistp521 { 4801 base key-exchange-alg-base; 4802 description 4803 "GSS-GROUP14-SHA256-NISTP521 (secp521r1)"; 4804 reference 4805 "RFC 8732: 4806 Generic Security Service Application Program Interface 4807 (GSS-API) Key Exchange with SHA-2"; 4808 } 4810 identity gss-group14-sha256-1.3.132.0.1 { 4811 base key-exchange-alg-base; 4812 description 4813 "GSS-GROUP14-SHA256-1.3.132.0.1 (nistk163, sect163k1)"; 4814 reference 4815 "RFC 8732: 4816 Generic Security Service Application Program Interface 4817 (GSS-API) Key Exchange with SHA-2"; 4818 } 4820 identity gss-group14-sha256-1.2.840.10045.3.1.1 { 4821 base key-exchange-alg-base; 4822 description 4823 "GSS-GROUP14-SHA256-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4824 reference 4825 "RFC 8732: 4826 Generic Security Service Application Program Interface 4827 (GSS-API) Key Exchange with SHA-2"; 4828 } 4830 identity gss-group14-sha256-1.3.132.0.33 { 4831 base key-exchange-alg-base; 4832 description 4833 "GSS-GROUP14-SHA256-1.3.132.0.33 (nistp224, secp224r1)"; 4834 reference 4835 "RFC 8732: 4836 Generic Security Service Application Program Interface 4837 (GSS-API) Key Exchange with SHA-2"; 4838 } 4840 identity gss-group14-sha256-1.3.132.0.26 { 4841 base key-exchange-alg-base; 4842 description 4843 "GSS-GROUP14-SHA256-1.3.132.0.26 (nistk233, sect233k1)"; 4844 reference 4845 "RFC 8732: 4846 Generic Security Service Application Program Interface 4847 (GSS-API) Key Exchange with SHA-2"; 4848 } 4850 identity gss-group14-sha256-1.3.132.0.27 { 4851 base key-exchange-alg-base; 4852 description 4853 "GSS-GROUP14-SHA256-1.3.132.0.27 (nistb233, sect233r1)"; 4854 reference 4855 "RFC 8732: 4856 Generic Security Service Application Program Interface 4857 (GSS-API) Key Exchange with SHA-2"; 4858 } 4860 identity gss-group14-sha256-1.3.132.0.16 { 4861 base key-exchange-alg-base; 4862 description 4863 "GSS-GROUP14-SHA256-1.3.132.0.16 (nistk283, sect283k1)"; 4864 reference 4865 "RFC 8732: 4866 Generic Security Service Application Program Interface 4867 (GSS-API) Key Exchange with SHA-2"; 4868 } 4870 identity gss-group14-sha256-1.3.132.0.36 { 4871 base key-exchange-alg-base; 4872 description 4873 "GSS-GROUP14-SHA256-1.3.132.0.36 (nistk409, sect409k1)"; 4874 reference 4875 "RFC 8732: 4876 Generic Security Service Application Program Interface 4877 (GSS-API) Key Exchange with SHA-2"; 4878 } 4879 identity gss-group14-sha256-1.3.132.0.37 { 4880 base key-exchange-alg-base; 4881 description 4882 "GSS-GROUP14-SHA256-1.3.132.0.37 (nistb409, sect409r1)"; 4883 reference 4884 "RFC 8732: 4885 Generic Security Service Application Program Interface 4886 (GSS-API) Key Exchange with SHA-2"; 4887 } 4889 identity gss-group14-sha256-1.3.132.0.38 { 4890 base key-exchange-alg-base; 4891 description 4892 "GSS-GROUP14-SHA256-1.3.132.0.38 (nistt571, sect571k1)"; 4893 reference 4894 "RFC 8732: 4895 Generic Security Service Application Program Interface 4896 (GSS-API) Key Exchange with SHA-2"; 4897 } 4899 identity gss-group14-sha256-curve25519-sha256 { 4900 base key-exchange-alg-base; 4901 description 4902 "GSS-GROUP14-SHA256-CURVE25519-SHA256"; 4903 reference 4904 "RFC 8732: 4905 Generic Security Service Application Program Interface 4906 (GSS-API) Key Exchange with SHA-2"; 4907 } 4909 identity gss-group14-sha256-curve448-sha512 { 4910 base key-exchange-alg-base; 4911 description 4912 "GSS-GROUP14-SHA256-CURVE448-SHA512"; 4913 reference 4914 "RFC 8732: 4915 Generic Security Service Application Program Interface 4916 (GSS-API) Key Exchange with SHA-2"; 4917 } 4919 identity gss-group15-sha512-nistp256 { 4920 base key-exchange-alg-base; 4921 description 4922 "GSS-GROUP15-SHA512-NISTP256 (secp256r1)"; 4923 reference 4924 "RFC 8732: 4925 Generic Security Service Application Program Interface 4926 (GSS-API) Key Exchange with SHA-2"; 4928 } 4930 identity gss-group15-sha512-nistp384 { 4931 base key-exchange-alg-base; 4932 description 4933 "GSS-GROUP15-SHA512-NISTP384 (secp384r1)"; 4934 reference 4935 "RFC 8732: 4936 Generic Security Service Application Program Interface 4937 (GSS-API) Key Exchange with SHA-2"; 4938 } 4940 identity gss-group15-sha512-nistp521 { 4941 base key-exchange-alg-base; 4942 description 4943 "GSS-GROUP15-SHA512-NISTP521 (secp521r1)"; 4944 reference 4945 "RFC 8732: 4946 Generic Security Service Application Program Interface 4947 (GSS-API) Key Exchange with SHA-2"; 4948 } 4950 identity gss-group15-sha512-1.3.132.0.1 { 4951 base key-exchange-alg-base; 4952 description 4953 "GSS-GROUP15-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 4954 reference 4955 "RFC 8732: 4956 Generic Security Service Application Program Interface 4957 (GSS-API) Key Exchange with SHA-2"; 4958 } 4960 identity gss-group15-sha512-1.2.840.10045.3.1.1 { 4961 base key-exchange-alg-base; 4962 description 4963 "GSS-GROUP15-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 4964 reference 4965 "RFC 8732: 4966 Generic Security Service Application Program Interface 4967 (GSS-API) Key Exchange with SHA-2"; 4968 } 4970 identity gss-group15-sha512-1.3.132.0.33 { 4971 base key-exchange-alg-base; 4972 description 4973 "GSS-GROUP15-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 4974 reference 4975 "RFC 8732: 4977 Generic Security Service Application Program Interface 4978 (GSS-API) Key Exchange with SHA-2"; 4979 } 4981 identity gss-group15-sha512-1.3.132.0.26 { 4982 base key-exchange-alg-base; 4983 description 4984 "GSS-GROUP15-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 4985 reference 4986 "RFC 8732: 4987 Generic Security Service Application Program Interface 4988 (GSS-API) Key Exchange with SHA-2"; 4989 } 4991 identity gss-group15-sha512-1.3.132.0.27 { 4992 base key-exchange-alg-base; 4993 description 4994 "GSS-GROUP15-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 4995 reference 4996 "RFC 8732: 4997 Generic Security Service Application Program Interface 4998 (GSS-API) Key Exchange with SHA-2"; 4999 } 5001 identity gss-group15-sha512-1.3.132.0.16 { 5002 base key-exchange-alg-base; 5003 description 5004 "GSS-GROUP15-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5005 reference 5006 "RFC 8732: 5007 Generic Security Service Application Program Interface 5008 (GSS-API) Key Exchange with SHA-2"; 5009 } 5011 identity gss-group15-sha512-1.3.132.0.36 { 5012 base key-exchange-alg-base; 5013 description 5014 "GSS-GROUP15-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5015 reference 5016 "RFC 8732: 5017 Generic Security Service Application Program Interface 5018 (GSS-API) Key Exchange with SHA-2"; 5019 } 5021 identity gss-group15-sha512-1.3.132.0.37 { 5022 base key-exchange-alg-base; 5023 description 5024 "GSS-GROUP15-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5026 reference 5027 "RFC 8732: 5028 Generic Security Service Application Program Interface 5029 (GSS-API) Key Exchange with SHA-2"; 5030 } 5032 identity gss-group15-sha512-1.3.132.0.38 { 5033 base key-exchange-alg-base; 5034 description 5035 "GSS-GROUP15-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5036 reference 5037 "RFC 8732: 5038 Generic Security Service Application Program Interface 5039 (GSS-API) Key Exchange with SHA-2"; 5040 } 5042 identity gss-group15-sha512-curve25519-sha256 { 5043 base key-exchange-alg-base; 5044 description 5045 "GSS-GROUP15-SHA512-CURVE25519-SHA256"; 5046 reference 5047 "RFC 8732: 5048 Generic Security Service Application Program Interface 5049 (GSS-API) Key Exchange with SHA-2"; 5050 } 5052 identity gss-group15-sha512-curve448-sha512 { 5053 base key-exchange-alg-base; 5054 description 5055 "GSS-GROUP15-SHA512-CURVE448-SHA512"; 5056 reference 5057 "RFC 8732: 5058 Generic Security Service Application Program Interface 5059 (GSS-API) Key Exchange with SHA-2"; 5060 } 5062 identity gss-group16-sha512-nistp256 { 5063 base key-exchange-alg-base; 5064 description 5065 "GSS-GROUP16-SHA512-NISTP256 (secp256r1)"; 5066 reference 5067 "RFC 8732: 5068 Generic Security Service Application Program Interface 5069 (GSS-API) Key Exchange with SHA-2"; 5070 } 5072 identity gss-group16-sha512-nistp384 { 5073 base key-exchange-alg-base; 5074 description 5075 "GSS-GROUP16-SHA512-NISTP384 (secp384r1)"; 5076 reference 5077 "RFC 8732: 5078 Generic Security Service Application Program Interface 5079 (GSS-API) Key Exchange with SHA-2"; 5080 } 5082 identity gss-group16-sha512-nistp521 { 5083 base key-exchange-alg-base; 5084 description 5085 "GSS-GROUP16-SHA512-NISTP521 (secp521r1)"; 5086 reference 5087 "RFC 8732: 5088 Generic Security Service Application Program Interface 5089 (GSS-API) Key Exchange with SHA-2"; 5090 } 5092 identity gss-group16-sha512-1.3.132.0.1 { 5093 base key-exchange-alg-base; 5094 description 5095 "GSS-GROUP16-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 5096 reference 5097 "RFC 8732: 5098 Generic Security Service Application Program Interface 5099 (GSS-API) Key Exchange with SHA-2"; 5100 } 5102 identity gss-group16-sha512-1.2.840.10045.3.1.1 { 5103 base key-exchange-alg-base; 5104 description 5105 "GSS-GROUP16-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5106 reference 5107 "RFC 8732: 5108 Generic Security Service Application Program Interface 5109 (GSS-API) Key Exchange with SHA-2"; 5110 } 5112 identity gss-group16-sha512-1.3.132.0.33 { 5113 base key-exchange-alg-base; 5114 description 5115 "GSS-GROUP16-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 5116 reference 5117 "RFC 8732: 5118 Generic Security Service Application Program Interface 5119 (GSS-API) Key Exchange with SHA-2"; 5120 } 5121 identity gss-group16-sha512-1.3.132.0.26 { 5122 base key-exchange-alg-base; 5123 description 5124 "GSS-GROUP16-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 5125 reference 5126 "RFC 8732: 5127 Generic Security Service Application Program Interface 5128 (GSS-API) Key Exchange with SHA-2"; 5129 } 5131 identity gss-group16-sha512-1.3.132.0.27 { 5132 base key-exchange-alg-base; 5133 description 5134 "GSS-GROUP16-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 5135 reference 5136 "RFC 8732: 5137 Generic Security Service Application Program Interface 5138 (GSS-API) Key Exchange with SHA-2"; 5139 } 5141 identity gss-group16-sha512-1.3.132.0.16 { 5142 base key-exchange-alg-base; 5143 description 5144 "GSS-GROUP16-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5145 reference 5146 "RFC 8732: 5147 Generic Security Service Application Program Interface 5148 (GSS-API) Key Exchange with SHA-2"; 5149 } 5151 identity gss-group16-sha512-1.3.132.0.36 { 5152 base key-exchange-alg-base; 5153 description 5154 "GSS-GROUP16-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5155 reference 5156 "RFC 8732: 5157 Generic Security Service Application Program Interface 5158 (GSS-API) Key Exchange with SHA-2"; 5159 } 5161 identity gss-group16-sha512-1.3.132.0.37 { 5162 base key-exchange-alg-base; 5163 description 5164 "GSS-GROUP16-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5165 reference 5166 "RFC 8732: 5167 Generic Security Service Application Program Interface 5168 (GSS-API) Key Exchange with SHA-2"; 5170 } 5172 identity gss-group16-sha512-1.3.132.0.38 { 5173 base key-exchange-alg-base; 5174 description 5175 "GSS-GROUP16-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5176 reference 5177 "RFC 8732: 5178 Generic Security Service Application Program Interface 5179 (GSS-API) Key Exchange with SHA-2"; 5180 } 5182 identity gss-group16-sha512-curve25519-sha256 { 5183 base key-exchange-alg-base; 5184 description 5185 "GSS-GROUP16-SHA512-CURVE25519-SHA256"; 5186 reference 5187 "RFC 8732: 5188 Generic Security Service Application Program Interface 5189 (GSS-API) Key Exchange with SHA-2"; 5190 } 5192 identity gss-group16-sha512-curve448-sha512 { 5193 base key-exchange-alg-base; 5194 description 5195 "GSS-GROUP16-SHA512-CURVE448-SHA512"; 5196 reference 5197 "RFC 8732: 5198 Generic Security Service Application Program Interface 5199 (GSS-API) Key Exchange with SHA-2"; 5200 } 5202 identity gss-group17-sha512-nistp256 { 5203 base key-exchange-alg-base; 5204 description 5205 "GSS-GROUP17-SHA512-NISTP256 (secp256r1)"; 5206 reference 5207 "RFC 8732: 5208 Generic Security Service Application Program Interface 5209 (GSS-API) Key Exchange with SHA-2"; 5210 } 5212 identity gss-group17-sha512-nistp384 { 5213 base key-exchange-alg-base; 5214 description 5215 "GSS-GROUP17-SHA512-NISTP384 (secp384r1)"; 5216 reference 5217 "RFC 8732: 5219 Generic Security Service Application Program Interface 5220 (GSS-API) Key Exchange with SHA-2"; 5221 } 5223 identity gss-group17-sha512-nistp521 { 5224 base key-exchange-alg-base; 5225 description 5226 "GSS-GROUP17-SHA512-NISTP521 (secp521r1)"; 5227 reference 5228 "RFC 8732: 5229 Generic Security Service Application Program Interface 5230 (GSS-API) Key Exchange with SHA-2"; 5231 } 5233 identity gss-group17-sha512-1.3.132.0.1 { 5234 base key-exchange-alg-base; 5235 description 5236 "GSS-GROUP17-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 5237 reference 5238 "RFC 8732: 5239 Generic Security Service Application Program Interface 5240 (GSS-API) Key Exchange with SHA-2"; 5241 } 5243 identity gss-group17-sha512-1.2.840.10045.3.1.1 { 5244 base key-exchange-alg-base; 5245 description 5246 "GSS-GROUP17-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5247 reference 5248 "RFC 8732: 5249 Generic Security Service Application Program Interface 5250 (GSS-API) Key Exchange with SHA-2"; 5251 } 5253 identity gss-group17-sha512-1.3.132.0.33 { 5254 base key-exchange-alg-base; 5255 description 5256 "GSS-GROUP17-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 5257 reference 5258 "RFC 8732: 5259 Generic Security Service Application Program Interface 5260 (GSS-API) Key Exchange with SHA-2"; 5261 } 5263 identity gss-group17-sha512-1.3.132.0.26 { 5264 base key-exchange-alg-base; 5265 description 5266 "GSS-GROUP17-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 5268 reference 5269 "RFC 8732: 5270 Generic Security Service Application Program Interface 5271 (GSS-API) Key Exchange with SHA-2"; 5272 } 5274 identity gss-group17-sha512-1.3.132.0.27 { 5275 base key-exchange-alg-base; 5276 description 5277 "GSS-GROUP17-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 5278 reference 5279 "RFC 8732: 5280 Generic Security Service Application Program Interface 5281 (GSS-API) Key Exchange with SHA-2"; 5282 } 5284 identity gss-group17-sha512-1.3.132.0.16 { 5285 base key-exchange-alg-base; 5286 description 5287 "GSS-GROUP17-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5288 reference 5289 "RFC 8732: 5290 Generic Security Service Application Program Interface 5291 (GSS-API) Key Exchange with SHA-2"; 5292 } 5294 identity gss-group17-sha512-1.3.132.0.36 { 5295 base key-exchange-alg-base; 5296 description 5297 "GSS-GROUP17-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5298 reference 5299 "RFC 8732: 5300 Generic Security Service Application Program Interface 5301 (GSS-API) Key Exchange with SHA-2"; 5302 } 5304 identity gss-group17-sha512-1.3.132.0.37 { 5305 base key-exchange-alg-base; 5306 description 5307 "GSS-GROUP17-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5308 reference 5309 "RFC 8732: 5310 Generic Security Service Application Program Interface 5311 (GSS-API) Key Exchange with SHA-2"; 5312 } 5314 identity gss-group17-sha512-1.3.132.0.38 { 5315 base key-exchange-alg-base; 5316 description 5317 "GSS-GROUP17-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5318 reference 5319 "RFC 8732: 5320 Generic Security Service Application Program Interface 5321 (GSS-API) Key Exchange with SHA-2"; 5322 } 5324 identity gss-group17-sha512-curve25519-sha256 { 5325 base key-exchange-alg-base; 5326 description 5327 "GSS-GROUP17-SHA512-CURVE25519-SHA256"; 5328 reference 5329 "RFC 8732: 5330 Generic Security Service Application Program Interface 5331 (GSS-API) Key Exchange with SHA-2"; 5332 } 5334 identity gss-group17-sha512-curve448-sha512 { 5335 base key-exchange-alg-base; 5336 description 5337 "GSS-GROUP17-SHA512-CURVE448-SHA512"; 5338 reference 5339 "RFC 8732: 5340 Generic Security Service Application Program Interface 5341 (GSS-API) Key Exchange with SHA-2"; 5342 } 5344 identity gss-group18-sha512-nistp256 { 5345 base key-exchange-alg-base; 5346 description 5347 "GSS-GROUP18-SHA512-NISTP256 (secp256r1)"; 5348 reference 5349 "RFC 8732: 5350 Generic Security Service Application Program Interface 5351 (GSS-API) Key Exchange with SHA-2"; 5352 } 5354 identity gss-group18-sha512-nistp384 { 5355 base key-exchange-alg-base; 5356 description 5357 "GSS-GROUP18-SHA512-NISTP384 (secp384r1)"; 5358 reference 5359 "RFC 8732: 5360 Generic Security Service Application Program Interface 5361 (GSS-API) Key Exchange with SHA-2"; 5362 } 5363 identity gss-group18-sha512-nistp521 { 5364 base key-exchange-alg-base; 5365 description 5366 "GSS-GROUP18-SHA512-NISTP521 (secp521r1)"; 5367 reference 5368 "RFC 8732: 5369 Generic Security Service Application Program Interface 5370 (GSS-API) Key Exchange with SHA-2"; 5371 } 5373 identity gss-group18-sha512-1.3.132.0.1 { 5374 base key-exchange-alg-base; 5375 description 5376 "GSS-GROUP18-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 5377 reference 5378 "RFC 8732: 5379 Generic Security Service Application Program Interface 5380 (GSS-API) Key Exchange with SHA-2"; 5381 } 5383 identity gss-group18-sha512-1.2.840.10045.3.1.1 { 5384 base key-exchange-alg-base; 5385 description 5386 "GSS-GROUP18-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5387 reference 5388 "RFC 8732: 5389 Generic Security Service Application Program Interface 5390 (GSS-API) Key Exchange with SHA-2"; 5391 } 5393 identity gss-group18-sha512-1.3.132.0.33 { 5394 base key-exchange-alg-base; 5395 description 5396 "GSS-GROUP18-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 5397 reference 5398 "RFC 8732: 5399 Generic Security Service Application Program Interface 5400 (GSS-API) Key Exchange with SHA-2"; 5401 } 5403 identity gss-group18-sha512-1.3.132.0.26 { 5404 base key-exchange-alg-base; 5405 description 5406 "GSS-GROUP18-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 5407 reference 5408 "RFC 8732: 5409 Generic Security Service Application Program Interface 5410 (GSS-API) Key Exchange with SHA-2"; 5412 } 5414 identity gss-group18-sha512-1.3.132.0.27 { 5415 base key-exchange-alg-base; 5416 description 5417 "GSS-GROUP18-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 5418 reference 5419 "RFC 8732: 5420 Generic Security Service Application Program Interface 5421 (GSS-API) Key Exchange with SHA-2"; 5422 } 5424 identity gss-group18-sha512-1.3.132.0.16 { 5425 base key-exchange-alg-base; 5426 description 5427 "GSS-GROUP18-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5428 reference 5429 "RFC 8732: 5430 Generic Security Service Application Program Interface 5431 (GSS-API) Key Exchange with SHA-2"; 5432 } 5434 identity gss-group18-sha512-1.3.132.0.36 { 5435 base key-exchange-alg-base; 5436 description 5437 "GSS-GROUP18-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5438 reference 5439 "RFC 8732: 5440 Generic Security Service Application Program Interface 5441 (GSS-API) Key Exchange with SHA-2"; 5442 } 5444 identity gss-group18-sha512-1.3.132.0.37 { 5445 base key-exchange-alg-base; 5446 description 5447 "GSS-GROUP18-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5448 reference 5449 "RFC 8732: 5450 Generic Security Service Application Program Interface 5451 (GSS-API) Key Exchange with SHA-2"; 5452 } 5454 identity gss-group18-sha512-1.3.132.0.38 { 5455 base key-exchange-alg-base; 5456 description 5457 "GSS-GROUP18-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5458 reference 5459 "RFC 8732: 5461 Generic Security Service Application Program Interface 5462 (GSS-API) Key Exchange with SHA-2"; 5463 } 5465 identity gss-group18-sha512-curve25519-sha256 { 5466 base key-exchange-alg-base; 5467 description 5468 "GSS-GROUP18-SHA512-CURVE25519-SHA256"; 5469 reference 5470 "RFC 8732: 5471 Generic Security Service Application Program Interface 5472 (GSS-API) Key Exchange with SHA-2"; 5473 } 5475 identity gss-group18-sha512-curve448-sha512 { 5476 base key-exchange-alg-base; 5477 description 5478 "GSS-GROUP18-SHA512-CURVE448-SHA512"; 5479 reference 5480 "RFC 8732: 5481 Generic Security Service Application Program Interface 5482 (GSS-API) Key Exchange with SHA-2"; 5483 } 5485 identity gss-nistp256-sha256-nistp256 { 5486 base key-exchange-alg-base; 5487 description 5488 "GSS-NISTP256-SHA256-NISTP256 (secp256r1)"; 5489 reference 5490 "RFC 8732: 5491 Generic Security Service Application Program Interface 5492 (GSS-API) Key Exchange with SHA-2"; 5493 } 5495 identity gss-nistp256-sha256-nistp384 { 5496 base key-exchange-alg-base; 5497 description 5498 "GSS-NISTP256-SHA256-NISTP384 (secp384r1)"; 5499 reference 5500 "RFC 8732: 5501 Generic Security Service Application Program Interface 5502 (GSS-API) Key Exchange with SHA-2"; 5503 } 5505 identity gss-nistp256-sha256-nistp521 { 5506 base key-exchange-alg-base; 5507 description 5508 "GSS-NISTP256-SHA256-NISTP521 (secp521r1)"; 5510 reference 5511 "RFC 8732: 5512 Generic Security Service Application Program Interface 5513 (GSS-API) Key Exchange with SHA-2"; 5514 } 5516 identity gss-nistp256-sha256-1.3.132.0.1 { 5517 base key-exchange-alg-base; 5518 description 5519 "GSS-NISTP256-SHA256-1.3.132.0.1 (nistk163, sect163k1)"; 5520 reference 5521 "RFC 8732: 5522 Generic Security Service Application Program Interface 5523 (GSS-API) Key Exchange with SHA-2"; 5524 } 5526 identity gss-nistp256-sha256-1.2.840.10045.3.1.1 { 5527 base key-exchange-alg-base; 5528 description 5529 "GSS-NISTP256-SHA256-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5530 reference 5531 "RFC 8732: 5532 Generic Security Service Application Program Interface 5533 (GSS-API) Key Exchange with SHA-2"; 5534 } 5536 identity gss-nistp256-sha256-1.3.132.0.33 { 5537 base key-exchange-alg-base; 5538 description 5539 "GSS-NISTP256-SHA256-1.3.132.0.33 (nistp224, secp224r1)"; 5540 reference 5541 "RFC 8732: 5542 Generic Security Service Application Program Interface 5543 (GSS-API) Key Exchange with SHA-2"; 5544 } 5546 identity gss-nistp256-sha256-1.3.132.0.26 { 5547 base key-exchange-alg-base; 5548 description 5549 "GSS-NISTP256-SHA256-1.3.132.0.26 (nistk233, sect233k1)"; 5550 reference 5551 "RFC 8732: 5552 Generic Security Service Application Program Interface 5553 (GSS-API) Key Exchange with SHA-2"; 5554 } 5556 identity gss-nistp256-sha256-1.3.132.0.27 { 5557 base key-exchange-alg-base; 5558 description 5559 "GSS-NISTP256-SHA256-1.3.132.0.27 (nistb233, sect233r1)"; 5560 reference 5561 "RFC 8732: 5562 Generic Security Service Application Program Interface 5563 (GSS-API) Key Exchange with SHA-2"; 5564 } 5566 identity gss-nistp256-sha256-1.3.132.0.16 { 5567 base key-exchange-alg-base; 5568 description 5569 "GSS-NISTP256-SHA256-1.3.132.0.16 (nistk283, sect283k1)"; 5570 reference 5571 "RFC 8732: 5572 Generic Security Service Application Program Interface 5573 (GSS-API) Key Exchange with SHA-2"; 5574 } 5576 identity gss-nistp256-sha256-1.3.132.0.36 { 5577 base key-exchange-alg-base; 5578 description 5579 "GSS-NISTP256-SHA256-1.3.132.0.36 (nistk409, sect409k1)"; 5580 reference 5581 "RFC 8732: 5582 Generic Security Service Application Program Interface 5583 (GSS-API) Key Exchange with SHA-2"; 5584 } 5586 identity gss-nistp256-sha256-1.3.132.0.37 { 5587 base key-exchange-alg-base; 5588 description 5589 "GSS-NISTP256-SHA256-1.3.132.0.37 (nistb409, sect409r1)"; 5590 reference 5591 "RFC 8732: 5592 Generic Security Service Application Program Interface 5593 (GSS-API) Key Exchange with SHA-2"; 5594 } 5596 identity gss-nistp256-sha256-1.3.132.0.38 { 5597 base key-exchange-alg-base; 5598 description 5599 "GSS-NISTP256-SHA256-1.3.132.0.38 (nistt571, sect571k1)"; 5600 reference 5601 "RFC 8732: 5602 Generic Security Service Application Program Interface 5603 (GSS-API) Key Exchange with SHA-2"; 5604 } 5605 identity gss-nistp256-sha256-curve25519-sha256 { 5606 base key-exchange-alg-base; 5607 description 5608 "GSS-NISTP256-SHA256-CURVE25519-SHA256"; 5609 reference 5610 "RFC 8732: 5611 Generic Security Service Application Program Interface 5612 (GSS-API) Key Exchange with SHA-2"; 5613 } 5615 identity gss-nistp256-sha256-curve448-sha512 { 5616 base key-exchange-alg-base; 5617 description 5618 "GSS-NISTP256-SHA256-CURVE448-SHA512"; 5619 reference 5620 "RFC 8732: 5621 Generic Security Service Application Program Interface 5622 (GSS-API) Key Exchange with SHA-2"; 5623 } 5625 identity gss-nistp384-sha384-nistp256 { 5626 base key-exchange-alg-base; 5627 description 5628 "GSS-NISTP384-SHA384-NISTP256 (secp256r1)"; 5629 reference 5630 "RFC 8732: 5631 Generic Security Service Application Program Interface 5632 (GSS-API) Key Exchange with SHA-2"; 5633 } 5635 identity gss-nistp384-sha384-nistp384 { 5636 base key-exchange-alg-base; 5637 description 5638 "GSS-NISTP384-SHA384-NISTP384 (secp384r1)"; 5639 reference 5640 "RFC 8732: 5641 Generic Security Service Application Program Interface 5642 (GSS-API) Key Exchange with SHA-2"; 5643 } 5645 identity gss-nistp384-sha384-nistp521 { 5646 base key-exchange-alg-base; 5647 description 5648 "GSS-NISTP384-SHA384-NISTP521 (secp521r1)"; 5649 reference 5650 "RFC 8732: 5651 Generic Security Service Application Program Interface 5652 (GSS-API) Key Exchange with SHA-2"; 5654 } 5656 identity gss-nistp384-sha384-1.3.132.0.1 { 5657 base key-exchange-alg-base; 5658 description 5659 "GSS-NISTP384-SHA384-1.3.132.0.1 (nistk163, sect163k1)"; 5660 reference 5661 "RFC 8732: 5662 Generic Security Service Application Program Interface 5663 (GSS-API) Key Exchange with SHA-2"; 5664 } 5666 identity gss-nistp384-sha384-1.2.840.10045.3.1.1 { 5667 base key-exchange-alg-base; 5668 description 5669 "GSS-NISTP384-SHA384-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5670 reference 5671 "RFC 8732: 5672 Generic Security Service Application Program Interface 5673 (GSS-API) Key Exchange with SHA-2"; 5674 } 5676 identity gss-nistp384-sha384-1.3.132.0.33 { 5677 base key-exchange-alg-base; 5678 description 5679 "GSS-NISTP384-SHA384-1.3.132.0.33 (nistp224, secp224r1)"; 5680 reference 5681 "RFC 8732: 5682 Generic Security Service Application Program Interface 5683 (GSS-API) Key Exchange with SHA-2"; 5684 } 5686 identity gss-nistp384-sha384-1.3.132.0.26 { 5687 base key-exchange-alg-base; 5688 description 5689 "GSS-NISTP384-SHA384-1.3.132.0.26 (nistk233, sect233k1)"; 5690 reference 5691 "RFC 8732: 5692 Generic Security Service Application Program Interface 5693 (GSS-API) Key Exchange with SHA-2"; 5694 } 5696 identity gss-nistp384-sha384-1.3.132.0.27 { 5697 base key-exchange-alg-base; 5698 description 5699 "GSS-NISTP384-SHA384-1.3.132.0.27 (nistb233, sect233r1)"; 5700 reference 5701 "RFC 8732: 5703 Generic Security Service Application Program Interface 5704 (GSS-API) Key Exchange with SHA-2"; 5705 } 5707 identity gss-nistp384-sha384-1.3.132.0.16 { 5708 base key-exchange-alg-base; 5709 description 5710 "GSS-NISTP384-SHA384-1.3.132.0.16 (nistk283, sect283k1)"; 5711 reference 5712 "RFC 8732: 5713 Generic Security Service Application Program Interface 5714 (GSS-API) Key Exchange with SHA-2"; 5715 } 5717 identity gss-nistp384-sha384-1.3.132.0.36 { 5718 base key-exchange-alg-base; 5719 description 5720 "GSS-NISTP384-SHA384-1.3.132.0.36 (nistk409, sect409k1)"; 5721 reference 5722 "RFC 8732: 5723 Generic Security Service Application Program Interface 5724 (GSS-API) Key Exchange with SHA-2"; 5725 } 5727 identity gss-nistp384-sha384-1.3.132.0.37 { 5728 base key-exchange-alg-base; 5729 description 5730 "GSS-NISTP384-SHA384-1.3.132.0.37 (nistb409, sect409r1)"; 5731 reference 5732 "RFC 8732: 5733 Generic Security Service Application Program Interface 5734 (GSS-API) Key Exchange with SHA-2"; 5735 } 5737 identity gss-nistp384-sha384-1.3.132.0.38 { 5738 base key-exchange-alg-base; 5739 description 5740 "GSS-NISTP384-SHA384-1.3.132.0.38 (nistt571, sect571k1)"; 5741 reference 5742 "RFC 8732: 5743 Generic Security Service Application Program Interface 5744 (GSS-API) Key Exchange with SHA-2"; 5745 } 5747 identity gss-nistp384-sha384-curve25519-sha256 { 5748 base key-exchange-alg-base; 5749 description 5750 "GSS-NISTP384-SHA384-CURVE25519-SHA256"; 5752 reference 5753 "RFC 8732: 5754 Generic Security Service Application Program Interface 5755 (GSS-API) Key Exchange with SHA-2"; 5756 } 5758 identity gss-nistp384-sha384-curve448-sha512 { 5759 base key-exchange-alg-base; 5760 description 5761 "GSS-NISTP384-SHA384-CURVE448-SHA512"; 5762 reference 5763 "RFC 8732: 5764 Generic Security Service Application Program Interface 5765 (GSS-API) Key Exchange with SHA-2"; 5766 } 5768 identity gss-nistp521-sha512-nistp256 { 5769 base key-exchange-alg-base; 5770 description 5771 "GSS-NISTP521-SHA512-NISTP256 (secp256r1)"; 5772 reference 5773 "RFC 8732: 5774 Generic Security Service Application Program Interface 5775 (GSS-API) Key Exchange with SHA-2"; 5776 } 5778 identity gss-nistp521-sha512-nistp384 { 5779 base key-exchange-alg-base; 5780 description 5781 "GSS-NISTP521-SHA512-NISTP384 (secp384r1)"; 5782 reference 5783 "RFC 8732: 5784 Generic Security Service Application Program Interface 5785 (GSS-API) Key Exchange with SHA-2"; 5786 } 5788 identity gss-nistp521-sha512-nistp521 { 5789 base key-exchange-alg-base; 5790 description 5791 "GSS-NISTP521-SHA512-NISTP521 (secp521r1)"; 5792 reference 5793 "RFC 8732: 5794 Generic Security Service Application Program Interface 5795 (GSS-API) Key Exchange with SHA-2"; 5796 } 5798 identity gss-nistp521-sha512-1.3.132.0.1 { 5799 base key-exchange-alg-base; 5800 description 5801 "GSS-NISTP521-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 5802 reference 5803 "RFC 8732: 5804 Generic Security Service Application Program Interface 5805 (GSS-API) Key Exchange with SHA-2"; 5806 } 5808 identity gss-nistp521-sha512-1.2.840.10045.3.1.1 { 5809 base key-exchange-alg-base; 5810 description 5811 "GSS-NISTP521-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 5812 reference 5813 "RFC 8732: 5814 Generic Security Service Application Program Interface 5815 (GSS-API) Key Exchange with SHA-2"; 5816 } 5818 identity gss-nistp521-sha512-1.3.132.0.33 { 5819 base key-exchange-alg-base; 5820 description 5821 "GSS-NISTP521-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 5822 reference 5823 "RFC 8732: 5824 Generic Security Service Application Program Interface 5825 (GSS-API) Key Exchange with SHA-2"; 5826 } 5828 identity gss-nistp521-sha512-1.3.132.0.26 { 5829 base key-exchange-alg-base; 5830 description 5831 "GSS-NISTP521-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 5832 reference 5833 "RFC 8732: 5834 Generic Security Service Application Program Interface 5835 (GSS-API) Key Exchange with SHA-2"; 5836 } 5838 identity gss-nistp521-sha512-1.3.132.0.27 { 5839 base key-exchange-alg-base; 5840 description 5841 "GSS-NISTP521-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 5842 reference 5843 "RFC 8732: 5844 Generic Security Service Application Program Interface 5845 (GSS-API) Key Exchange with SHA-2"; 5846 } 5847 identity gss-nistp521-sha512-1.3.132.0.16 { 5848 base key-exchange-alg-base; 5849 description 5850 "GSS-NISTP521-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 5851 reference 5852 "RFC 8732: 5853 Generic Security Service Application Program Interface 5854 (GSS-API) Key Exchange with SHA-2"; 5855 } 5857 identity gss-nistp521-sha512-1.3.132.0.36 { 5858 base key-exchange-alg-base; 5859 description 5860 "GSS-NISTP521-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 5861 reference 5862 "RFC 8732: 5863 Generic Security Service Application Program Interface 5864 (GSS-API) Key Exchange with SHA-2"; 5865 } 5867 identity gss-nistp521-sha512-1.3.132.0.37 { 5868 base key-exchange-alg-base; 5869 description 5870 "GSS-NISTP521-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 5871 reference 5872 "RFC 8732: 5873 Generic Security Service Application Program Interface 5874 (GSS-API) Key Exchange with SHA-2"; 5875 } 5877 identity gss-nistp521-sha512-1.3.132.0.38 { 5878 base key-exchange-alg-base; 5879 description 5880 "GSS-NISTP521-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 5881 reference 5882 "RFC 8732: 5883 Generic Security Service Application Program Interface 5884 (GSS-API) Key Exchange with SHA-2"; 5885 } 5887 identity gss-nistp521-sha512-curve25519-sha256 { 5888 base key-exchange-alg-base; 5889 description 5890 "GSS-NISTP521-SHA512-CURVE25519-SHA256"; 5891 reference 5892 "RFC 8732: 5893 Generic Security Service Application Program Interface 5894 (GSS-API) Key Exchange with SHA-2"; 5896 } 5898 identity gss-nistp521-sha512-curve448-sha512 { 5899 base key-exchange-alg-base; 5900 description 5901 "GSS-NISTP521-SHA512-CURVE448-SHA512"; 5902 reference 5903 "RFC 8732: 5904 Generic Security Service Application Program Interface 5905 (GSS-API) Key Exchange with SHA-2"; 5906 } 5908 identity gss-curve25519-sha256-nistp256 { 5909 base key-exchange-alg-base; 5910 description 5911 "GSS-CURVE25519-SHA256-NISTP256 (secp256r1)"; 5912 reference 5913 "RFC 8732: 5914 Generic Security Service Application Program Interface 5915 (GSS-API) Key Exchange with SHA-2"; 5916 } 5918 identity gss-curve25519-sha256-nistp384 { 5919 base key-exchange-alg-base; 5920 description 5921 "GSS-CURVE25519-SHA256-NISTP384 (secp384r1)"; 5922 reference 5923 "RFC 8732: 5924 Generic Security Service Application Program Interface 5925 (GSS-API) Key Exchange with SHA-2"; 5926 } 5928 identity gss-curve25519-sha256-nistp521 { 5929 base key-exchange-alg-base; 5930 description 5931 "GSS-CURVE25519-SHA256-NISTP521 (secp521r1)"; 5932 reference 5933 "RFC 8732: 5934 Generic Security Service Application Program Interface 5935 (GSS-API) Key Exchange with SHA-2"; 5936 } 5938 identity gss-curve25519-sha256-1.3.132.0.1 { 5939 base key-exchange-alg-base; 5940 description 5941 "GSS-CURVE25519-SHA256-1.3.132.0.1 (nistk163, sect163k1)"; 5942 reference 5943 "RFC 8732: 5945 Generic Security Service Application Program Interface 5946 (GSS-API) Key Exchange with SHA-2"; 5947 } 5949 identity gss-curve25519-sha256-1.2.840.10045.3.1.1 { 5950 base key-exchange-alg-base; 5951 description 5952 "GSS-CURVE25519-SHA256-1.2.840.10045.3.1.1 (nistp192, 5953 secp192r1)"; 5954 reference 5955 "RFC 8732: 5956 Generic Security Service Application Program Interface 5957 (GSS-API) Key Exchange with SHA-2"; 5958 } 5960 identity gss-curve25519-sha256-1.3.132.0.33 { 5961 base key-exchange-alg-base; 5962 description 5963 "GSS-CURVE25519-SHA256-1.3.132.0.33 (nistp224, secp224r1)"; 5964 reference 5965 "RFC 8732: 5966 Generic Security Service Application Program Interface 5967 (GSS-API) Key Exchange with SHA-2"; 5968 } 5970 identity gss-curve25519-sha256-1.3.132.0.26 { 5971 base key-exchange-alg-base; 5972 description 5973 "GSS-CURVE25519-SHA256-1.3.132.0.26 (nistk233, sect233k1)"; 5974 reference 5975 "RFC 8732: 5976 Generic Security Service Application Program Interface 5977 (GSS-API) Key Exchange with SHA-2"; 5978 } 5980 identity gss-curve25519-sha256-1.3.132.0.27 { 5981 base key-exchange-alg-base; 5982 description 5983 "GSS-CURVE25519-SHA256-1.3.132.0.27 (nistb233, sect233r1)"; 5984 reference 5985 "RFC 8732: 5986 Generic Security Service Application Program Interface 5987 (GSS-API) Key Exchange with SHA-2"; 5988 } 5990 identity gss-curve25519-sha256-1.3.132.0.16 { 5991 base key-exchange-alg-base; 5992 description 5993 "GSS-CURVE25519-SHA256-1.3.132.0.16 (nistk283, sect283k1)"; 5994 reference 5995 "RFC 8732: 5996 Generic Security Service Application Program Interface 5997 (GSS-API) Key Exchange with SHA-2"; 5998 } 6000 identity gss-curve25519-sha256-1.3.132.0.36 { 6001 base key-exchange-alg-base; 6002 description 6003 "GSS-CURVE25519-SHA256-1.3.132.0.36 (nistk409, sect409k1)"; 6004 reference 6005 "RFC 8732: 6006 Generic Security Service Application Program Interface 6007 (GSS-API) Key Exchange with SHA-2"; 6008 } 6010 identity gss-curve25519-sha256-1.3.132.0.37 { 6011 base key-exchange-alg-base; 6012 description 6013 "GSS-CURVE25519-SHA256-1.3.132.0.37 (nistb409, sect409r1)"; 6014 reference 6015 "RFC 8732: 6016 Generic Security Service Application Program Interface 6017 (GSS-API) Key Exchange with SHA-2"; 6018 } 6020 identity gss-curve25519-sha256-1.3.132.0.38 { 6021 base key-exchange-alg-base; 6022 description 6023 "GSS-CURVE25519-SHA256-1.3.132.0.38 (nistt571, sect571k1)"; 6024 reference 6025 "RFC 8732: 6026 Generic Security Service Application Program Interface 6027 (GSS-API) Key Exchange with SHA-2"; 6028 } 6030 identity gss-curve25519-sha256-curve25519-sha256 { 6031 base key-exchange-alg-base; 6032 description 6033 "GSS-CURVE25519-SHA256-CURVE25519-SHA256"; 6034 reference 6035 "RFC 8732: 6036 Generic Security Service Application Program Interface 6037 (GSS-API) Key Exchange with SHA-2"; 6038 } 6040 identity gss-curve25519-sha256-curve448-sha512 { 6041 base key-exchange-alg-base; 6042 description 6043 "GSS-CURVE25519-SHA256-CURVE448-SHA512"; 6044 reference 6045 "RFC 8732: 6046 Generic Security Service Application Program Interface 6047 (GSS-API) Key Exchange with SHA-2"; 6048 } 6050 identity gss-curve448-sha512-nistp256 { 6051 base key-exchange-alg-base; 6052 description 6053 "GSS-CURVE448-SHA512-NISTP256 (secp256r1)"; 6054 reference 6055 "RFC 8732: 6056 Generic Security Service Application Program Interface 6057 (GSS-API) Key Exchange with SHA-2"; 6058 } 6060 identity gss-curve448-sha512-nistp384 { 6061 base key-exchange-alg-base; 6062 description 6063 "GSS-CURVE448-SHA512-NISTP384 (secp384r1)"; 6064 reference 6065 "RFC 8732: 6066 Generic Security Service Application Program Interface 6067 (GSS-API) Key Exchange with SHA-2"; 6068 } 6070 identity gss-curve448-sha512-nistp521 { 6071 base key-exchange-alg-base; 6072 description 6073 "GSS-CURVE448-SHA512-NISTP521 (secp521r1)"; 6074 reference 6075 "RFC 8732: 6076 Generic Security Service Application Program Interface 6077 (GSS-API) Key Exchange with SHA-2"; 6078 } 6080 identity gss-curve448-sha512-1.3.132.0.1 { 6081 base key-exchange-alg-base; 6082 description 6083 "GSS-CURVE448-SHA512-1.3.132.0.1 (nistk163, sect163k1)"; 6084 reference 6085 "RFC 8732: 6086 Generic Security Service Application Program Interface 6087 (GSS-API) Key Exchange with SHA-2"; 6088 } 6089 identity gss-curve448-sha512-1.2.840.10045.3.1.1 { 6090 base key-exchange-alg-base; 6091 description 6092 "GSS-CURVE448-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)"; 6093 reference 6094 "RFC 8732: 6095 Generic Security Service Application Program Interface 6096 (GSS-API) Key Exchange with SHA-2"; 6097 } 6099 identity gss-curve448-sha512-1.3.132.0.33 { 6100 base key-exchange-alg-base; 6101 description 6102 "GSS-CURVE448-SHA512-1.3.132.0.33 (nistp224, secp224r1)"; 6103 reference 6104 "RFC 8732: 6105 Generic Security Service Application Program Interface 6106 (GSS-API) Key Exchange with SHA-2"; 6107 } 6109 identity gss-curve448-sha512-1.3.132.0.26 { 6110 base key-exchange-alg-base; 6111 description 6112 "GSS-CURVE448-SHA512-1.3.132.0.26 (nistk233, sect233k1)"; 6113 reference 6114 "RFC 8732: 6115 Generic Security Service Application Program Interface 6116 (GSS-API) Key Exchange with SHA-2"; 6117 } 6119 identity gss-curve448-sha512-1.3.132.0.27 { 6120 base key-exchange-alg-base; 6121 description 6122 "GSS-CURVE448-SHA512-1.3.132.0.27 (nistb233, sect233r1)"; 6123 reference 6124 "RFC 8732: 6125 Generic Security Service Application Program Interface 6126 (GSS-API) Key Exchange with SHA-2"; 6127 } 6129 identity gss-curve448-sha512-1.3.132.0.16 { 6130 base key-exchange-alg-base; 6131 description 6132 "GSS-CURVE448-SHA512-1.3.132.0.16 (nistk283, sect283k1)"; 6133 reference 6134 "RFC 8732: 6135 Generic Security Service Application Program Interface 6136 (GSS-API) Key Exchange with SHA-2"; 6138 } 6140 identity gss-curve448-sha512-1.3.132.0.36 { 6141 base key-exchange-alg-base; 6142 description 6143 "GSS-CURVE448-SHA512-1.3.132.0.36 (nistk409, sect409k1)"; 6144 reference 6145 "RFC 8732: 6146 Generic Security Service Application Program Interface 6147 (GSS-API) Key Exchange with SHA-2"; 6148 } 6150 identity gss-curve448-sha512-1.3.132.0.37 { 6151 base key-exchange-alg-base; 6152 description 6153 "GSS-CURVE448-SHA512-1.3.132.0.37 (nistb409, sect409r1)"; 6154 reference 6155 "RFC 8732: 6156 Generic Security Service Application Program Interface 6157 (GSS-API) Key Exchange with SHA-2"; 6158 } 6160 identity gss-curve448-sha512-1.3.132.0.38 { 6161 base key-exchange-alg-base; 6162 description 6163 "GSS-CURVE448-SHA512-1.3.132.0.38 (nistt571, sect571k1)"; 6164 reference 6165 "RFC 8732: 6166 Generic Security Service Application Program Interface 6167 (GSS-API) Key Exchange with SHA-2"; 6168 } 6170 identity gss-curve448-sha512-curve25519-sha256 { 6171 base key-exchange-alg-base; 6172 description 6173 "GSS-CURVE448-SHA512-CURVE25519-SHA256"; 6174 reference 6175 "RFC 8732: 6176 Generic Security Service Application Program Interface 6177 (GSS-API) Key Exchange with SHA-2"; 6178 } 6180 identity gss-curve448-sha512-curve448-sha512 { 6181 base key-exchange-alg-base; 6182 description 6183 "GSS-CURVE448-SHA512-CURVE448-SHA512"; 6184 reference 6185 "RFC 8732: 6187 Generic Security Service Application Program Interface 6188 (GSS-API) Key Exchange with SHA-2"; 6189 } 6191 identity curve25519-sha256 { 6192 base key-exchange-alg-base; 6193 description 6194 "CURVE25519-SHA256"; 6195 reference 6196 "RFC 8731: 6197 Secure Shell (SSH) Key Exchange Method 6198 Using Curve25519 and Curve448"; 6199 } 6201 identity curve448-sha512 { 6202 base key-exchange-alg-base; 6203 description 6204 "CURVE448-SHA512"; 6205 reference 6206 "RFC 8731: 6207 Secure Shell (SSH) Key Exchange Method 6208 Using Curve25519 and Curve448"; 6209 } 6211 // Protocol-accessible Nodes 6213 container supported-algorithms { 6214 config false; 6215 description 6216 "A container for a list of key exchange algorithms 6217 supported by the server."; 6218 leaf-list supported-algorithm { 6219 type key-exchange-algorithm-ref; 6220 description 6221 "A key exchange algorithm supported by the server."; 6222 } 6223 } 6225 } 6227 6229 Appendix B. Change Log 6231 This section is to be removed before publishing as an RFC. 6233 B.1. 00 to 01 6234 * Noted that '0.0.0.0' and '::' might have special meanings. 6236 * Renamed "keychain" to "keystore". 6238 B.2. 01 to 02 6240 * Removed the groupings 'listening-ssh-client-grouping' and 6241 'listening-ssh-server-grouping'. Now modules only contain the 6242 transport-independent groupings. 6244 * Simplified the "client-auth" part in the ietf-ssh-client module. 6245 It now inlines what it used to point to keystore for. 6247 * Added cipher suites for various algorithms into new 'ietf-ssh- 6248 common' module. 6250 B.3. 02 to 03 6252 * Removed 'RESTRICTED' enum from 'password' leaf type. 6254 * Added a 'must' statement to container 'server-auth' asserting that 6255 at least one of the various auth mechanisms must be specified. 6257 * Fixed description statement for leaf 'trusted-ca-certs'. 6259 B.4. 03 to 04 6261 * Change title to "YANG Groupings for SSH Clients and SSH Servers" 6263 * Added reference to RFC 6668 6265 * Added RFC 8174 to Requirements Language Section. 6267 * Enhanced description statement for ietf-ssh-server's "trusted-ca- 6268 certs" leaf. 6270 * Added mandatory true to ietf-ssh-client's "client-auth" 'choice' 6271 statement. 6273 * Changed the YANG prefix for module ietf-ssh-common from 'sshcom' 6274 to 'sshcmn'. 6276 * Removed the compression algorithms as they are not commonly 6277 configurable in vendors' implementations. 6279 * Updating descriptions in transport-params-grouping and the 6280 servers's usage of it. 6282 * Now tree diagrams reference ietf-netmod-yang-tree-diagrams 6284 * Updated YANG to use typedefs around leafrefs to common keystore 6285 paths 6287 * Now inlines key and certificates (no longer a leafref to keystore) 6289 B.5. 04 to 05 6291 * Merged changes from co-author. 6293 B.6. 05 to 06 6295 * Updated to use trust anchors from trust-anchors draft (was 6296 keystore draft) 6298 * Now uses new keystore grouping enabling asymmetric key to be 6299 either locally defined or a reference to the keystore. 6301 B.7. 06 to 07 6303 * factored the ssh-[client|server]-groupings into more reusable 6304 groupings. 6306 * added if-feature statements for the new "ssh-host-keys" and 6307 "x509-certificates" features defined in draft-ietf-netconf-trust- 6308 anchors. 6310 B.8. 07 to 08 6312 * Added a number of compatibility matrices to Section 5 (thanks 6313 Frank!) 6315 * Clarified that any configured "host-key-alg" values need to be 6316 compatible with the configured private key. 6318 B.9. 08 to 09 6320 * Updated examples to reflect update to groupings defined in the 6321 keystore -09 draft. 6323 * Add SSH keepalives features and groupings. 6325 * Prefixed top-level SSH grouping nodes with 'ssh-' and support 6326 mashups. 6328 * Updated copyright date, boilerplate template, affiliation, and 6329 folding algorithm. 6331 B.10. 09 to 10 6333 * Reformatted the YANG modules. 6335 B.11. 10 to 11 6337 * Reformatted lines causing folding to occur. 6339 B.12. 11 to 12 6341 * Collapsed all the inner groupings into the top-level grouping. 6343 * Added a top-level "demux container" inside the top-level grouping. 6345 * Added NACM statements and updated the Security Considerations 6346 section. 6348 * Added "presence" statements on the "keepalive" containers, as was 6349 needed to address a validation error that appeared after adding 6350 the "must" statements into the NETCONF/RESTCONF client/server 6351 modules. 6353 * Updated the boilerplate text in module-level "description" 6354 statement to match copyeditor convention. 6356 B.13. 12 to 13 6358 * Removed the "demux containers", floating the nacm:default-deny- 6359 write to each descendant node, and adding a note to model 6360 designers regarding the potential need to add their own demux 6361 containers. 6363 * Fixed a couple references (section 2 --> section 3) 6365 * In the server model, replaced with and introduced 'local-or-external' choice. 6368 B.14. 13 to 14 6370 * Updated to reflect changes in trust-anchors drafts (e.g., s/trust- 6371 anchors/truststore/g + s/pinned.//) 6373 B.15. 14 to 15 6375 * Updated examples to reflect ietf-crypto-types change (e.g., 6376 identities --> enumerations) 6378 * Updated "server-authentication" and "client-authentication" nodes 6379 from being a leaf of type "ts:host-keys-ref" or "ts:certificates- 6380 ref" to a container that uses "ts:local-or-truststore-host-keys- 6381 grouping" or "ts:local-or-truststore-certs-grouping". 6383 B.16. 15 to 16 6385 * Removed unnecessary if-feature statements in the -client and 6386 -server modules. 6388 * Cleaned up some description statements in the -client and -server 6389 modules. 6391 * Fixed a canonical ordering issue in ietf-ssh-common detected by 6392 new pyang. 6394 B.17. 16 to 17 6396 * Removed choice local-or-external by removing the 'external' case 6397 and flattening the 'local' case and adding a "local-users- 6398 supported" feature. 6400 * Updated examples to include the "*-key-format" nodes. 6402 * Augmented-in "must" expressions ensuring that locally-defined 6403 public-key-format are "ct:ssh-public-key-format" (must expr for 6404 ref'ed keys are TBD). 6406 B.18. 17 to 18 6408 * Removed leaf-list 'other' from ietf-ssh-server. 6410 * Removed unused 'external-client-auth-supported' feature. 6412 * Added features client-auth-password, client-auth-hostbased, and 6413 client-auth-none. 6415 * Renamed 'host-key' to 'public-key' for when refering to 6416 'publickey' based auth. 6418 * Added new feature-protected 'hostbased' and 'none' to the 'user' 6419 node's config. 6421 * Added new feature-protected 'hostbased' and 'none' to the 'client- 6422 identity' node's config. 6424 * Updated examples to reflect new "bag" addition to truststore. 6426 * Refined truststore/keystore groupings to ensure the key formats 6427 "must" be particular values. 6429 * Switched to using truststore's new "public-key" bag (instead of 6430 separate "ssh-public-key" and "raw-public-key" bags. 6432 * Updated client/server examples to cover ALL cases (local/ref x 6433 cert/raw-key/psk). 6435 B.19. 18 to 19 6437 * Updated the "keepalives" containers to address Michal Vasko's 6438 request to align with RFC 8071. 6440 * Removed algorithm-mapping tables from the "SSH Common Model" 6441 section 6443 * Removed 'algorithm' node from examples. 6445 * Added feature "userauth-publickey" 6447 * Removed "choice auth-type", as auth-types are not exclusive. 6449 * Renamed both "client-certs" and "server-certs" to "ee-certs" 6451 * Switch "must" to assert the public-key-format is "subject-public- 6452 key-info-format" when certificates are used. 6454 * Added a "Note to Reviewers" note to first page. 6456 B.20. 19 to 20 6458 * Added a "must 'public-key or password or hostbased or none or 6459 certificate'" statement to the "user" node in ietf-ssh-client 6461 * Expanded "Data Model Overview section(s) [remove "wall" of tree 6462 diagrams]. 6464 * Moved the "ietf-ssh-common" module section to proceed the other 6465 two module sections. 6467 * Updated the Security Considerations section. 6469 B.21. 20 to 21 6471 * Updated examples to reflect new "cleartext-" prefix in the crypto- 6472 types draft. 6474 B.22. 21 to 22 6476 * Cleaned up the SSH-client examples (i.e., removing FIXMEs) 6478 * Fixed issues found by the SecDir review of the "keystore" draft. 6480 * Updated the "ietf-ssh-client" module to use the new "password- 6481 grouping" grouping from the "crypto-types" module. 6483 B.23. 22 to 23 6485 * Addressed comments raised by YANG Doctor in the ct/ts/ks drafts. 6487 B.24. 23 to 24 6489 * Removed the 'supported-authentication-methods' from {grouping ssh- 6490 server-grouping}/client-authentication. 6492 * Added XML-comment above examples explaining the reason for the 6493 unexepected top-most element's presence. 6495 * Added RFC-references to various 'feature' statements. 6497 * Renamed "credentials" to "authentication methods" 6499 * Renamed "client-auth-*" to "userauth-*" 6501 * Renamed "client-identity-*" to "userauth-*" 6503 * Fixed nits found by YANG Doctor reviews. 6505 * Aligned modules with `pyang -f` formatting. 6507 * Added a 'Contributors' section. 6509 B.25. 24 to 25 6511 * Moved algorithms in ietf-ssh-common (plus more) to IANA-maintained 6512 modules 6514 * Added "config false" lists for algorithms supported by the server. 6516 * Renamed "{ietf-ssh-client}userauth-*" to "client-ident-*" 6518 * Renamed "{ietf-ssh-server}userauth-*" to "local-user-auth-*" 6520 * Fixed issues found during YANG Doctor review. 6522 * Fixed issues found during Secdir review. 6524 B.26. 25 to 26 6526 * Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples. 6528 * Minor editorial nits 6530 B.27. 26 to 27 6532 * Fixed up the 'WG Web' and 'WG List' lines in YANG module(s) 6534 * Fixed up copyright (i.e., s/Simplified/Revised/) in YANG module(s) 6536 * Created identityref-based typedefs for each of the four IANA alg 6537 identity bases. 6539 * Added ietf-ssh-common:generate-public-key() RPC for discussion. 6541 B.28. 27 to 28 6543 * Fixed example to not have line-returns around "identity" values. 6545 * Fixed examples to not include "xmlns:algs". 6547 * Added an example for the "generate-public-key" RPC. 6549 Acknowledgements 6551 The authors would like to thank for following for lively discussions 6552 on list and in the halls (ordered by first name): Alan Luchuk, Andy 6553 Bierman, Balazs Kovacs, Barry Leiba, Benoit Claise, Bert Wijnen, 6554 David Lamparter, Gary Wu, Juergen Schoenwaelder, Ladislav Lhotka, 6555 Liang Xia, Martin Bjoerklund, Mehmet Ersue, Michal Vasko, Phil 6556 Shafer, Radek Krejci, Sean Turner, Tom Petch. 6558 Contributors 6560 Special acknowledgement goes to Gary Wu for his work on the "ietf- 6561 ssh-common" module. 6563 Author's Address 6565 Kent Watsen 6566 Watsen Networks 6567 Email: kent+ietf@watsen.net