module ietf-ssh-client {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client";
prefix "sshc";
import ietf-ssh-common {
prefix sshcom;
revision-date 2017-10-30; // stable grouping definitions
reference
"RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 6536: Network Configuration Protocol (NETCONF) Access
Control Model";
}
import ietf-keystore {
prefix ks;
reference
"RFC YYYY: Keystore Model";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
Author: Gary Wu
";
description
"This module defines a reusable grouping for a SSH client that
can be used as a basis for specific SSH client instances.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision "2017-10-30" {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
}
// features
feature ssh-client-transport-params-config {
description
"SSH transport layer parameters are configurable on an SSH
client.";
}
// groupings
grouping ssh-client-grouping {
description
"A reusable grouping for configuring a SSH client without
any consideration for how an underlying TCP session is
established.";
container client-identity {
description
"The credentials used by the client to authenticate to
the SSH server.";
leaf username {
type string;
description
"The username of this user. This will be the username
used, for instance, to log into an SSH server.";
}
choice auth-type {
mandatory true;
description
"The authentication type.";
container certificate {
if-feature sshcom:ssh-x509-certs;
uses ks:private-key-grouping;
uses ks:certificate-grouping;
description
"A certificates to be used for client authentication.";
}
container public-key {
uses ks:private-key-grouping;
description
"A public key to be used for client authentication.";
}
leaf password {
nacm:default-deny-all;
type string;
description
"A password to be used for client authentication.";
}
}
} // end client-auth
container server-auth {
must 'pinned-ssh-host-keys or pinned-ca-certs or '
+ 'pinned-server-certs';
description
"Trusted server identities.";
leaf pinned-ssh-host-keys {
type ks:pinned-host-keys;
description
"A reference to a list of SSH host keys used by the
SSH client to authenticate SSH server host keys.
A server host key is authenticated if it is an exact
match to a configured SSH host key.";
}
leaf pinned-ca-certs {
if-feature sshcom:ssh-x509-certs;
type ks:pinned-certificates;
description
"A reference to a list of certificate authority (CA)
certificates used by the SSH client to authenticate
SSH server certificates. A server certificate is
authenticated if it has a valid chain of trust to
a configured CA certificate.";
}
leaf pinned-server-certs {
if-feature sshcom:ssh-x509-certs;
type ks:pinned-certificates;
description
"A reference to a list of server certificates used by
the SSH client to authenticate SSH server certificates.
A server certificate is authenticated if it is an
exact match to a configured server certificate.";
}
} // end server-auth
container transport-params {
if-feature ssh-client-transport-params-config;
uses sshcom:transport-params-grouping;
description
"Configurable parameters for the SSH transport layer.";
}
}
}