1 module ietf-ssh-common {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
6 import iana-ssh-encryption-algs {
9 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
12 import iana-ssh-key-exchange-algs {
15 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
18 import iana-ssh-mac-algs {
21 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
24 import iana-ssh-public-key-algs {
27 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
30 import ietf-crypto-types {
33 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
36 import ietf-keystore {
39 "RFC CCCC: A YANG Data Model for a Keystore";
43 "IETF NETCONF (Network Configuration) Working Group";
46 "WG Web: https://datatracker.ietf.org/wg/netconf
47 WG List: NETCONF WG list <mailto:netconf@ietf.org>
48 Author: Kent Watsen <mailto:kent+ietf@watsen.net>
49 Author: Gary Wu <mailto:garywu@cisco.com>";
52 "This module defines a common features and groupings for
55 Copyright (c) 2023 IETF Trust and the persons identified
56 as authors of the code. All rights reserved.
58 Redistribution and use in source and binary forms, with
59 or without modification, is permitted pursuant to, and
60 subject to the license terms contained in, the Revised
61 BSD License set forth in Section 4.c of the IETF Trust's
62 Legal Provisions Relating to IETF Documents
63 (https://trustee.ietf.org/license-info).
65 This version of this YANG module is part of RFC EEEE
66 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
67 itself for full legal notices.
69 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
70 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
71 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
72 are to be interpreted as described in BCP 14 (RFC 2119)
73 (RFC 8174) when, and only when, they appear in all
74 capitals, as shown here.";
80 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
85 feature ssh-x509-certs {
87 "X.509v3 certificates are supported for SSH.";
89 "RFC 6187: X.509v3 Certificates for Secure Shell
93 feature transport-params {
95 "SSH transport layer parameters are configurable.";
98 feature public-key-generation {
100 "Indicates that the server implements the
101 'generate-public-key' RPC.";
106 grouping transport-params-grouping {
108 "A reusable grouping for SSH transport parameters.";
110 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
113 "Parameters regarding host key.";
114 leaf-list host-key-alg {
116 base sshpka:public-key-alg-base;
120 "Acceptable host key algorithms in order of decreasing
123 If this leaf-list is not configured (has zero elements)
124 the acceptable host key algorithms are implementation-
127 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
130 container key-exchange {
132 "Parameters regarding key exchange.";
133 leaf-list key-exchange-alg {
135 base sshkea:key-exchange-alg-base;
139 "Acceptable key exchange algorithms in order of decreasing
142 If this leaf-list is not configured (has zero elements)
143 the acceptable key exchange algorithms are implementation
147 container encryption {
149 "Parameters regarding encryption.";
150 leaf-list encryption-alg {
152 base sshea:encryption-alg-base;
156 "Acceptable encryption algorithms in order of decreasing
159 If this leaf-list is not configured (has zero elements)
160 the acceptable encryption algorithms are implementation
166 "Parameters regarding message authentication code (MAC).";
169 base sshma:mac-alg-base;
173 "Acceptable MAC algorithms in order of decreasing
176 If this leaf-list is not configured (has zero elements)
177 the acceptable MAC algorithms are implementation-
183 // Protocol-accessible Nodes
185 rpc generate-public-key {
186 if-feature "public-key-generation";
188 "Requests the device to generate an public key using
189 the specified key algorithm.";
192 type sshpka:public-key-algorithm-ref;
195 "The algorithm to be used when generating the key.";
200 "Specifies the number of bits in the key to create.
201 For RSA keys, the minimum size is 1024 bits and
202 the default is 3072 bits. Generally, 3072 bits is
203 considered sufficient. DSA keys must be exactly 1024
204 bits as specified by FIPS 186-6. For ECDSA keys, the
205 'num-bits' value determines the key length by selecting
206 from one of three elliptic curve sizes: 256, 384 or
207 521 bits. Attempting to use bit lengths other than
208 these three values for ECDSA keys will fail. ECDSA-SK,
209 Ed25519 and Ed25519-SK keys have a fixed length and
210 thus the 'num-bits' value is not specified.";
212 "FIPS 186-6: Digital Signature Standard (DSS)";
214 container private-key-encoding {
216 "Indicates how the private key is to be encoded.";
217 choice private-key-encoding {
220 "A choice amongst optional private key handling.";
222 if-feature "ct:cleartext-private-keys";
226 "Indicates that the private key is to be returned
227 as a cleartext value.";
231 if-feature "ct:encrypted-private-keys";
232 container encrypted {
234 "Indicates that the private key is to be encrypted
235 using the specified symmetric or asymmetric key.";
236 uses ks:encrypted-by-grouping;
240 if-feature "ct:hidden-private-keys";
244 "Indicates that the private key is to be hidden.
246 Unlike the 'cleartext' and 'encrypt' options, the
247 key returned is a placeholder for an internally
248 stored key. See the 'Support for Built-in Keys'
249 section in RFC CCCC for information about hidden
257 uses ct:asymmetric-key-pair-grouping;
259 } // end generate-public-key