1 module ietf-ssh-common {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
6 import iana-ssh-encryption-algs {
9 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
12 import iana-ssh-key-exchange-algs {
15 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
18 import iana-ssh-mac-algs {
21 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
24 import iana-ssh-public-key-algs {
27 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
30 import ietf-crypto-types {
33 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
36 import ietf-keystore {
39 "RFC CCCC: A YANG Data Model for a Keystore";
43 "IETF NETCONF (Network Configuration) Working Group";
46 "WG Web: https://datatracker.ietf.org/wg/netconf
47 WG List: NETCONF WG list <mailto:netconf@ietf.org>
48 Author: Kent Watsen <mailto:kent+ietf@watsen.net>
49 Author: Gary Wu <mailto:garywu@cisco.com>";
52 "This module defines a common features and groupings for
55 Copyright (c) 2024 IETF Trust and the persons identified
56 as authors of the code. All rights reserved.
58 Redistribution and use in source and binary forms, with
59 or without modification, is permitted pursuant to, and
60 subject to the license terms contained in, the Revised
61 BSD License set forth in Section 4.c of the IETF Trust's
62 Legal Provisions Relating to IETF Documents
63 (https://trustee.ietf.org/license-info).
65 This version of this YANG module is part of RFC EEEE
66 (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
67 itself for full legal notices.
69 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
70 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
71 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
72 are to be interpreted as described in BCP 14 (RFC 2119)
73 (RFC 8174) when, and only when, they appear in all
74 capitals, as shown here.";
80 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
85 feature ssh-x509-certs {
87 "X.509v3 certificates are supported for SSH.";
89 "RFC 6187: X.509v3 Certificates for Secure Shell
93 feature transport-params {
95 "SSH transport layer parameters are configurable.";
98 feature asymmetric-key-pair-generation {
100 "Indicates that the server implements the
101 'generate-asymmetric-key-pair' RPC.";
104 feature algorithm-discovery {
106 "Indicates that the server implements the
107 'supported-algorithms' container.";
113 grouping transport-params-grouping {
115 "A reusable grouping for SSH transport parameters.";
117 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
120 "Parameters regarding host key.";
121 leaf-list host-key-alg {
123 base sshpka:public-key-alg-base;
127 "Acceptable host key algorithms in order of decreasing
130 If this leaf-list is not configured (has zero elements)
131 the acceptable host key algorithms are implementation-
134 "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
137 container key-exchange {
139 "Parameters regarding key exchange.";
140 leaf-list key-exchange-alg {
142 base sshkea:key-exchange-alg-base;
146 "Acceptable key exchange algorithms in order of decreasing
149 If this leaf-list is not configured (has zero elements)
150 the acceptable key exchange algorithms are implementation
154 container encryption {
156 "Parameters regarding encryption.";
157 leaf-list encryption-alg {
159 base sshea:encryption-alg-base;
163 "Acceptable encryption algorithms in order of decreasing
166 If this leaf-list is not configured (has zero elements)
167 the acceptable encryption algorithms are implementation
173 "Parameters regarding message authentication code (MAC).";
176 base sshma:mac-alg-base;
180 "Acceptable MAC algorithms in order of decreasing
183 If this leaf-list is not configured (has zero elements)
184 the acceptable MAC algorithms are implementation-
190 // Protocol-accessible Nodes
192 container supported-algorithms {
193 if-feature "algorithm-discovery";
196 "Identifies all of the supported algorithms.";
197 container public-key-algorithms {
199 "A container for a list of public key algorithms
200 supported by the server.";
201 leaf-list supported-algorithm {
202 type sshpka:public-key-algorithm-ref;
204 "A public key algorithm supported by the server.";
207 container encryption-algorithms {
209 "A container for a list of encryption algorithms
210 supported by the server.";
211 leaf-list supported-algorithm {
212 type sshea:encryption-algorithm-ref;
214 "An encryption algorithm supported by the server.";
217 container key-exchange-algorithms {
220 "A container for a list of key exchange algorithms
221 supported by the server.";
222 leaf-list supported-algorithm {
223 type sshkea:key-exchange-algorithm-ref;
225 "A key exchange algorithm supported by the server.";
228 container mac-algorithms {
231 "A container for a list of MAC algorithms
232 supported by the server.";
233 leaf-list supported-algorithm {
234 type sshma:mac-algorithm-ref;
236 "A MAC algorithm supported by the server.";
241 rpc generate-asymmetric-key-pair {
242 if-feature "asymmetric-key-pair-generation";
244 "Requests the device to generate an public key using
245 the specified key algorithm.";
248 type sshpka:public-key-algorithm-ref;
251 "The algorithm to be used when generating the key.";
256 "Specifies the number of bits in the key to create.
257 For RSA keys, the minimum size is 1024 bits and
258 the default is 3072 bits. Generally, 3072 bits is
259 considered sufficient. DSA keys must be exactly 1024
260 bits as specified by FIPS 186-6. For ECDSA keys, the
261 'num-bits' value determines the key length by selecting
262 from one of three elliptic curve sizes: 256, 384 or
263 521 bits. Attempting to use bit lengths other than
264 these three values for ECDSA keys will fail. ECDSA-SK,
265 Ed25519 and Ed25519-SK keys have a fixed length and
266 thus the 'num-bits' value is not specified.";
268 "FIPS 186-6: Digital Signature Standard (DSS)";
270 container private-key-encoding {
272 "Indicates how the private key is to be encoded.";
273 choice private-key-encoding {
276 "A choice amongst optional private key handling.";
278 if-feature "ct:cleartext-private-keys";
282 "Indicates that the private key is to be returned
283 as a cleartext value.";
287 if-feature "ct:encrypted-private-keys";
288 container encrypted {
290 "Indicates that the private key is to be encrypted
291 using the specified symmetric or asymmetric key.";
292 uses ks:encrypted-by-grouping;
296 if-feature "ct:hidden-private-keys";
300 "Indicates that the private key is to be hidden.
302 Unlike the 'cleartext' and 'encrypt' options, the
303 key returned is a placeholder for an internally
304 stored key. See the 'Support for Built-in Keys'
305 section in RFC CCCC for information about hidden
313 uses ct:asymmetric-key-pair-grouping;
315 } // end generate-asymmetric-key-pair