| ietf-ssh-server@2024-03-16.yang | ietf-ssh-server@2024-03-16.formatted.yang | |||
|---|---|---|---|---|
| skipping to change at line 202 ¶ | skipping to change at line 193 ¶ | |||
| container public-key { | container public-key { | |||
| description | description | |||
| "A locally defined or referenced asymmetric key pair | "A locally defined or referenced asymmetric key pair | |||
| to be used for the SSH server's host key."; | to be used for the SSH server's host key."; | |||
| reference | reference | |||
| "RFC 9642: A YANG Data Model for a Keystore and | "RFC 9642: A YANG Data Model for a Keystore and | |||
| Keystore Operations"; | Keystore Operations"; | |||
| uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
| refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
| must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
| + '(public-key-format, "ct:ssh-public-key-format")'; | + '(public-key-format, "ct:ssh-public-key-format")'; | |||
| } | } | |||
| refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
| + "central-keystore-reference" { | + "central-keystore-reference" { | |||
| must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
| + 'derived-from-or-self(deref(.)/../ks:public-' | + 'derived-from-or-self(deref(.)/../ks:public-' | |||
| + 'key-format, "ct:ssh-public-key-format")'; | + 'key-format, "ct:ssh-public-key-format")'; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| container certificate { | container certificate { | |||
| if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
| description | description | |||
| "A locally defined or referenced end-entity | "A locally defined or referenced end-entity | |||
| certificate to be used for the SSH server's | certificate to be used for the SSH server's | |||
| host key."; | host key."; | |||
| reference | reference | |||
| "RFC 9642: A YANG Data Model for a Keystore and | "RFC 9642: A YANG Data Model for a Keystore and | |||
| Keystore Operations"; | Keystore Operations"; | |||
| uses | uses ks:inline-or-keystore-end-entity-cert-with-key-grouping { | |||
| ks:inline-or-keystore-end-entity-cert-with-key-grouping{ | ||||
| refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
| must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
| + '(public-key-format, "ct:subject-public-key-' | + '(public-key-format, "ct:subject-public-key-' | |||
| + 'info-format")'; | + 'info-format")'; | |||
| } | } | |||
| refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
| + "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
| must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
| + 'derived-from-or-self(deref(.)/../ks:public-key' | + 'derived-from-or-self(deref(.)/../ks:public-key' | |||
| + '-format, "ct:subject-public-key-info-format")'; | + '-format, "ct:subject-public-key-info-format")'; | |||
| skipping to change at line 279 ¶ | skipping to change at line 267 ¶ | |||
| type string; | type string; | |||
| description | description | |||
| "The 'username' for the SSH client, as defined in | "The 'username' for the SSH client, as defined in | |||
| the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; | the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; | |||
| reference | reference | |||
| "RFC 4253: The Secure Shell (SSH) Transport Layer | "RFC 4253: The Secure Shell (SSH) Transport Layer | |||
| Protocol"; | Protocol"; | |||
| } | } | |||
| container public-keys { | container public-keys { | |||
| if-feature "local-user-auth-publickey"; | if-feature "local-user-auth-publickey"; | |||
| presence | presence "Indicates that public keys have been configured. | |||
| "Indicates that public keys have been configured. | This statement is present so the mandatory descendant | |||
| This statement is present so the mandatory descendant | nodes do not imply that this node must be | |||
| nodes do not imply that this node must be | configured."; | |||
| configured."; | ||||
| description | description | |||
| "A set of SSH public keys may be used by the SSH | "A set of SSH public keys may be used by the SSH | |||
| server to authenticate this user. A user is | server to authenticate this user. A user is | |||
| authenticated if its public key is an exact | authenticated if its public key is an exact | |||
| match to a configured public key."; | match to a configured public key."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
| refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
| + "public-key" { | + "public-key" { | |||
| skipping to change at line 325 ¶ | skipping to change at line 312 ¶ | |||
| } | } | |||
| leaf last-modified { | leaf last-modified { | |||
| type yang:date-and-time; | type yang:date-and-time; | |||
| config false; | config false; | |||
| description | description | |||
| "Identifies when the password was last set."; | "Identifies when the password was last set."; | |||
| } | } | |||
| } | } | |||
| container hostbased { | container hostbased { | |||
| if-feature "local-user-auth-hostbased"; | if-feature "local-user-auth-hostbased"; | |||
| presence | presence "Indicates that host-based (RFC 4252) keys have been | |||
| "Indicates that host-based (RFC 4252) keys have been | configured. This statement is present so the | |||
| configured. This statement is present so the | mandatory descendant nodes do not imply that this | |||
| mandatory descendant nodes do not imply that this | node must be configured."; | |||
| node must be configured."; | ||||
| description | description | |||
| "A set of SSH host keys used by the SSH server to | "A set of SSH host keys used by the SSH server to | |||
| authenticate this user's host. A user's host is | authenticate this user's host. A user's host is | |||
| authenticated if its host key is an exact match | authenticated if its host key is an exact match | |||
| to a configured host key."; | to a configured host key."; | |||
| reference | reference | |||
| "RFC 4252: The Secure Shell (SSH) Authentication | "RFC 4252: The Secure Shell (SSH) Authentication | |||
| Protocol | Protocol | |||
| RFC 9641: A YANG Data Model for a Truststore"; | RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
| skipping to change at line 367 ¶ | skipping to change at line 353 ¶ | |||
| "Indicates that the 'none' method is configured | "Indicates that the 'none' method is configured | |||
| for this user."; | for this user."; | |||
| reference | reference | |||
| "RFC 4252: The Secure Shell (SSH) Authentication | "RFC 4252: The Secure Shell (SSH) Authentication | |||
| Protocol"; | Protocol"; | |||
| } | } | |||
| } | } | |||
| } // users | } // users | |||
| container ca-certs { | container ca-certs { | |||
| if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
| presence | presence "Indicates that CA certificates have been configured. | |||
| "Indicates that CA certificates have been configured. | This statement is present so the mandatory descendant | |||
| This statement is present so the mandatory descendant | nodes do not imply this node must be configured."; | |||
| nodes do not imply this node must be configured."; | ||||
| description | description | |||
| "A set of certificate authority (CA) certificates used by | "A set of certificate authority (CA) certificates used by | |||
| the SSH server to authenticate SSH client certificates. | the SSH server to authenticate SSH client certificates. | |||
| A client certificate is authenticated if it has a valid | A client certificate is authenticated if it has a valid | |||
| chain of trust to a configured CA certificate."; | chain of trust to a configured CA certificate."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
| } | } | |||
| container ee-certs { | container ee-certs { | |||
| if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
| presence | presence "Indicates that EE certificates have been configured. | |||
| "Indicates that EE certificates have been configured. | This statement is present so the mandatory descendant | |||
| This statement is present so the mandatory descendant | nodes do not imply this node must be configured."; | |||
| nodes do not imply this node must be configured."; | ||||
| description | description | |||
| "A set of client certificates (i.e., end-entity | "A set of client certificates (i.e., end-entity | |||
| certificates) used by the SSH server to authenticate | certificates) used by the SSH server to authenticate | |||
| the certificates presented by SSH clients. A client | the certificates presented by SSH clients. A client | |||
| certificate is authenticated if it is an exact match | certificate is authenticated if it is an exact match | |||
| to a configured end-entity certificate."; | to a configured end-entity certificate."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
| } | } | |||
| skipping to change at line 397 ¶ | skipping to change at line 381 ¶ | |||
| "A set of client certificates (i.e., end-entity | "A set of client certificates (i.e., end-entity | |||
| certificates) used by the SSH server to authenticate | certificates) used by the SSH server to authenticate | |||
| the certificates presented by SSH clients. A client | the certificates presented by SSH clients. A client | |||
| certificate is authenticated if it is an exact match | certificate is authenticated if it is an exact match | |||
| to a configured end-entity certificate."; | to a configured end-entity certificate."; | |||
| reference | reference | |||
| "RFC 9641: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
| uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
| } | } | |||
| } // container client-authentication | } // container client-authentication | |||
| container transport-params { | container transport-params { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| if-feature "sshcmn:transport-params"; | if-feature "sshcmn:transport-params"; | |||
| description | description | |||
| "Configurable parameters of the SSH transport layer."; | "Configurable parameters of the SSH transport layer."; | |||
| uses sshcmn:transport-params-grouping; | uses sshcmn:transport-params-grouping; | |||
| } // container transport-params | } // container transport-params | |||
| container keepalives { | container keepalives { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| if-feature "ssh-server-keepalives"; | if-feature "ssh-server-keepalives"; | |||
| presence | presence "Indicates that the SSH server proactively tests the | |||
| "Indicates that the SSH server proactively tests the | aliveness of the remote SSH client."; | |||
| aliveness of the remote SSH client."; | ||||
| description | description | |||
| "Configures the keep-alive policy to proactively test | "Configures the keep-alive policy to proactively test | |||
| the aliveness of the SSH client. An unresponsive SSH | the aliveness of the SSH client. An unresponsive SSH | |||
| client is dropped after approximately max-wait * | client is dropped after approximately max-wait * | |||
| max-attempts seconds. Per Section 4 of RFC 4254, | max-attempts seconds. Per Section 4 of RFC 4254, | |||
| the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST | the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST | |||
| message with a purposely nonexistent 'request name' | message with a purposely nonexistent 'request name' | |||
| value (e.g., keepalive@ietf.org) and the 'want reply' | value (e.g., keepalive@ietf.org) and the 'want reply' | |||
| value set to '1'."; | value set to '1'."; | |||
| reference | reference | |||
| End of changes. 9 change blocks. | ||||
| 27 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||