module ietf-ssh-client {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client";
prefix "sshc";
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-keystore {
prefix ks;
reference
"RFC YYYY: Keystore Model";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
WG Chair: Mehmet Ersue
WG Chair: Mahesh Jethanandani
Author: Kent Watsen
Author: Gary Wu
";
description
"This module defines a reusable grouping for a SSH client that
can be used as a basis for specific SSH client instances.
Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision "2016-11-02" {
description
"Initial version";
reference
"RFC XXXX: SSH Client and Server Models";
}
feature ssh-x509-certs {
description
"The ssh-x509-certs feature indicates that the SSH
client supports RFC 6187";
reference
"RFC 6187: X.509v3 Certificates for Secure Shell
Authentication";
}
grouping initiating-ssh-client-grouping {
description
"A reusable grouping for a SSH client that initiates the
underlying TCP transport connection.";
container server-auth {
description
"Trusted server identities.";
leaf trusted-ssh-host-keys {
type leafref {
path "/ks:keystore/ks:trusted-ssh-host-keys/ks:name";
}
description
"A reference to a list of SSH host keys used by the
SSH client to authenticate SSH server host keys.
A server host key is authenticate if it is an exact
match to a configured trusted SSH host key.";
}
leaf trusted-ca-certs {
if-feature ssh-x509-certs;
type leafref {
path "/ks:keystore/ks:trusted-certificates/ks:name";
}
description
"A reference to a list of certificate authority (CA)
certificates used by the SSH client to authenticate
SSH server certificates.";
}
leaf trusted-server-certs {
type leafref {
path "/ks:keystore/ks:trusted-certificates/ks:name";
}
description
"A reference to a list of server certificates used by
the SSH client to authenticate SSH server certificates.
A server certificate is authenticated if it is an
exact match to a configured trusted server certificate.";
}
}
container client-auth {
description
"The credentials used by the client to authenticate to
the SSH server.";
list matches {
key name;
description
"A matches expression, which performs like a firewall
rulebase in that each matches expression is considered
for a match before moving onto the next matches
expression. The first matching expression terminates
the search, and its 'user-auth-credentials' are used
to log into the SSH server.";
leaf name {
type string;
description
"An arbitrary name for this matches expression.";
}
list match {
key name;
description
"A match rule. The presented SSH server's host key
is matched against possible trusted SSH host keys
and certificates. If a match is found, the specified
'user-auth-credentials' is used to log into the
SSH server.";
leaf name {
type string;
description
"An arbitrary name for this match rule.";
}
leaf trusted-ssh-host-keys {
type leafref {
path "/ks:keystore/ks:trusted-ssh-host-keys/ks:name";
}
description
"A test to see if the presented SSH host key
matches any of the host keys in the specified
'trusted-ssh-host-keys' list maintained by the
keystore module.";
}
leaf trusted-ca-certs {
type leafref {
path "/ks:keystore/ks:trusted-certificates/ks:name";
}
description
"A test to see if the presented SSH host key matches
any of the trusted CA certificates in the specified
'trusted-certificates' list maintained by the
keystore module.";
}
leaf trusted-server-certs {
type leafref {
path "/ks:keystore/ks:trusted-certificates/ks:name";
}
description
"A test to see if the presented SSH host key matches
any of the trusted server certificates in the specified
'trusted-certificates' list maintained by the
keystore module.";
}
}
leaf user-auth-credentials {
type leafref {
path "/ks:keystore/ks:user-auth-credentials/"
+ "ks:user-auth-credential/ks:username";
}
description
"The specific user authentication credentials to use if
all of the above 'match' expressions match.";
}
}
}
} // end initiating-ssh-client-grouping
grouping listening-ssh-client-grouping {
description
"A reusable grouping for a SSH client that does not
the underlying TCP transport connection have been
established using some other mechanism.";
leaf address {
type inet:ip-address;
description
"The IP address to listen for call-home connections on.";
}
leaf port {
type inet:port-number;
description
"The port number to listen for call-home connections.
When this grouping is used, it is RECOMMENED that
refine statement is used to either set a default port
value or to set mandatory true.";
}
uses initiating-ssh-client-grouping;
}
}