(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
- revision 2023-04-17 {
+ revision 2023-12-28 {
description
"Initial version";
reference
description
"Indicates that the 'publickey' authentication type,
per RFC 4252, is supported for locally-defined users.
-
The 'publickey' authentication type is required by
- RFC 4252, but common implementations enable it to
+ RFC 4252, but common implementations allow it to
be disabled.";
reference
"RFC 4252:
"RFC 4252:
The Secure Shell (SSH) Authentication Protocol";
}
+
feature local-user-auth-none {
if-feature "local-users-supported";
description
"RFC CCCC: A YANG Data Model for a Keystore";
uses ks:inline-or-keystore-asymmetric-key-grouping {
refine "inline-or-keystore/inline/inline-definition" {
- must 'derived-from-or-self(public-key-format,'
- + ' "ct:ssh-public-key-format")';
+ must 'not(public-key-format) or derived-from-or-self'
+ + '(public-key-format, "ct:ssh-public-key-format")';
}
- refine "inline-or-keystore/keystore/"
- + "keystore-reference" {
- must 'derived-from-or-self(deref(.)/../ks:public-'
+ refine "inline-or-keystore/central-keystore/"
+ + "central-keystore-reference" {
+ must 'not(deref(.)/../ks:public-key-format) or '
+ + 'derived-from-or-self(deref(.)/../ks:public-'
+ 'key-format, "ct:ssh-public-key-format")';
}
}
reference
"RFC CCCC: A YANG Data Model for a Keystore";
uses
- ks:inline-or-keystore-end-entity-cert-with-key-grouping{
+ ks:inline-or-keystore-end-entity-cert-with-key-grouping{
refine "inline-or-keystore/inline/inline-definition" {
- must 'derived-from-or-self(public-key-format,'
- + ' "ct:subject-public-key-info-format")';
+ must 'not(public-key-format) or derived-from-or-self'
+ + '(public-key-format, "ct:subject-public-key-'
+ + 'info-format")';
}
- refine "inline-or-keystore/keystore/keystore-reference"
- + "/asymmetric-key" {
- must
- 'derived-from-or-self(deref(.)/../ks:public-key-'
- + 'format, "ct:subject-public-key-info-format")';
+ refine "inline-or-keystore/central-keystore/"
+ + "central-keystore-reference/asymmetric-key" {
+ must 'not(deref(.)/../ks:public-key-format) or '
+ + 'derived-from-or-self(deref(.)/../ks:public-key'
+ + '-format, "ct:subject-public-key-info-format")';
}
}
}
5.1 and 5.2 in RFC 4252.
The authentication methods are unordered. Clients
- must authenticate to all configured methods.
+ must authenticate to all configured methods.
Whenever a choice amongst methods arises,
implementations SHOULD use a default ordering
that prioritizes automation over human-interaction.";
must 'derived-from-or-self(public-key-format,'
+ ' "ct:ssh-public-key-format")';
}
- refine "inline-or-truststore/truststore/truststore-"
- + "reference" {
+ refine "inline-or-truststore/central-truststore/"
+ + "central-truststore-reference" {
must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ 'format[not(derived-from-or-self(., "ct:ssh-'
+ 'public-key-format"))])';
must 'derived-from-or-self(public-key-format,'
+ ' "ct:ssh-public-key-format")';
}
- refine "inline-or-truststore/truststore/truststore-"
- + "reference" {
+ refine "inline-or-truststore/central-truststore/"
+ + "central-truststore-reference" {
must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ 'format[not(derived-from-or-self(., "ct:ssh-'
+ 'public-key-format"))])';
Protocol.";
}
}
- }
+ } // users
container ca-certs {
if-feature "sshcmn:ssh-x509-certs";
presence