rfc9644.original | rfc9644.txt | |||
---|---|---|---|---|
NETCONF Working Group K. Watsen | Internet Engineering Task Force (IETF) K. Watsen | |||
Internet-Draft Watsen Networks | Request for Comments: 9644 Watsen Networks | |||
Intended status: Standards Track 16 March 2024 | Category: Standards Track October 2024 | |||
Expires: 17 September 2024 | ISSN: 2070-1721 | |||
YANG Groupings for SSH Clients and SSH Servers | YANG Groupings for SSH Clients and SSH Servers | |||
draft-ietf-netconf-ssh-client-server-40 | ||||
Abstract | Abstract | |||
This document presents seven YANG 1.1 modules. Three IETF modules, | This document presents three IETF-defined YANG modules and a script | |||
and four supporting IANA modules. | used to create four supporting IANA modules. | |||
The three IETF modules are: ietf-ssh-common, ietf-ssh-client, and | The three IETF modules are ietf-ssh-common, ietf-ssh-client, and | |||
ietf-ssh-server. The "ietf-ssh-client" and "ietf-ssh-server" modules | ietf-ssh-server. The "ietf-ssh-client" and "ietf-ssh-server" modules | |||
are the primary productions of this work, supporting the | are the primary productions of this work, supporting the | |||
configuration and monitoring of SSH clients and servers. | configuration and monitoring of Secure Shell (SSH) clients and | |||
servers. | ||||
The four IANA modules are: iana-ssh-encryption-algs, iana-ssh-key- | The four IANA modules are iana-ssh-encryption-algs, iana-ssh-key- | |||
exchange-algs, iana-ssh-mac-algs, and iana-ssh-public-key-algs. | exchange-algs, iana-ssh-mac-algs, and iana-ssh-public-key-algs. | |||
These modules each define YANG enumerations providing support for an | These modules each define YANG enumerations providing support for an | |||
IANA-maintained algorithm registry. | IANA-maintained algorithm registry. | |||
Editorial Note (To be removed by RFC Editor) | ||||
This draft contains placeholder values that need to be replaced with | ||||
finalized values at the time of publication. This note summarizes | ||||
all of the substitutions that are needed. No other RFC Editor | ||||
instructions are specified elsewhere in this document. | ||||
Artwork in this document contains shorthand references to drafts in | ||||
progress. Please apply the following replacements: | ||||
* AAAA --> the assigned RFC value for draft-ietf-netconf-crypto- | ||||
types | ||||
* BBBB --> the assigned RFC value for draft-ietf-netconf-trust- | ||||
anchors | ||||
* CCCC --> the assigned RFC value for draft-ietf-netconf-keystore | ||||
* DDDD --> the assigned RFC value for draft-ietf-netconf-tcp-client- | ||||
server | ||||
* EEEE --> the assigned RFC value for this draft | ||||
Artwork in this document contains placeholder values for the date of | ||||
publication of this draft. Please apply the following replacement: | ||||
* 2024-03-16 --> the publication date of this draft | ||||
The "Relation to other RFCs" section Section 1.2 contains the text | ||||
"one or more YANG modules" and, later, "modules". This text is | ||||
sourced from a file in a context where it is unknown how many modules | ||||
a draft defines. The text is not wrong as is, but it may be improved | ||||
by stating more directly how many modules are defined. | ||||
The "Relation to other RFCs" section Section 1.2 contains a self- | ||||
reference to this draft, along with a corresponding reference in the | ||||
Appendix. Please replace the self-reference in this section with | ||||
"This RFC" (or similar) and remove the self-reference in the | ||||
"Normative/Informative References" section, whichever it is in. | ||||
Tree-diagrams in this draft may use the '\' line-folding mode defined | ||||
in RFC 8792. However, nicer-to-the-eye is when the '\\' line-folding | ||||
mode is used. The AD suggested suggested putting a request here for | ||||
the RFC Editor to help convert "ugly" '\' folded examples to use the | ||||
'\\' folding mode. "Help convert" may be interpreted as, identify | ||||
what looks ugly and ask the authors to make the adjustment. | ||||
The following Appendix sections are to be removed prior to | ||||
publication: | ||||
* Appendix A.1. Initial Module for the "Encryption Algorithm Names" | ||||
Registry | ||||
* Appendix A.2. Initial Module for the "MAC Algorithm Names" | ||||
Registry | ||||
* Appendix A.3. Initial Module for the "Public Key Algorithm Names" | ||||
Registry | ||||
* Appendix A.4. Initial Module for the "Key Exchange Method Names" | ||||
Registry | ||||
* Appendix B. Change Log | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 17 September 2024. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9644. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction | |||
1.1. Regarding the IETF Modules . . . . . . . . . . . . . . . 6 | 1.1. Regarding the Three IETF Modules | |||
1.2. Relation to other RFCs . . . . . . . . . . . . . . . . . 6 | 1.2. Relation to Other RFCs | |||
1.3. Specification Language . . . . . . . . . . . . . . . . . 8 | 1.3. Specification Language | |||
1.4. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 8 | 1.4. Adherence to the NMDA | |||
1.5. Conventions . . . . . . . . . . . . . . . . . . . . . . . 8 | 1.5. Conventions | |||
2. The "ietf-ssh-common" Module . . . . . . . . . . . . . . . . 9 | 2. The "ietf-ssh-common" Module | |||
2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 9 | 2.1. Data Model Overview | |||
2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 12 | 2.2. Example Usage | |||
2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 | 2.3. YANG Module | |||
3. The "ietf-ssh-client" Module . . . . . . . . . . . . . . . . 24 | 3. The "ietf-ssh-client" Module | |||
3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 24 | 3.1. Data Model Overview | |||
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 27 | 3.2. Example Usage | |||
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 31 | 3.3. YANG Module | |||
4. The "ietf-ssh-server" Module . . . . . . . . . . . . . . . . 39 | 4. The "ietf-ssh-server" Module | |||
4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 39 | 4.1. Data Model Overview | |||
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 41 | 4.2. Example Usage | |||
4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 45 | 4.3. YANG Module | |||
5. Security Considerations . . . . . . . . . . . . . . . . . . . 54 | 5. Security Considerations | |||
5.1. Considerations for the "iana-ssh-key-exchange-algs" | 5.1. Considerations for the "iana-ssh-key-exchange-algs" Module | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 54 | 5.2. Considerations for the "iana-ssh-encryption-algs" Module | |||
5.2. Considerations for the "iana-ssh-encryption-algs" | 5.3. Considerations for the "iana-ssh-mac-algs" Module | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 55 | 5.4. Considerations for the "iana-ssh-public-key-algs" Module | |||
5.3. Considerations for the "iana-ssh-mac-algs" Module . . . . 56 | 5.5. Considerations for the "ietf-ssh-common" YANG Module | |||
5.4. Considerations for the "iana-ssh-public-key-algs" | 5.6. Considerations for the "ietf-ssh-client" YANG Module | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 56 | 5.7. Considerations for the "ietf-ssh-server" YANG Module | |||
5.5. Considerations for the "ietf-ssh-common" YANG Module . . 57 | 6. IANA Considerations | |||
5.6. Considerations for the "ietf-ssh-client" YANG Module . . 57 | 6.1. The IETF XML Registry | |||
5.7. Considerations for the "ietf-ssh-server" YANG Module . . 58 | 6.2. The YANG Module Names Registry | |||
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 | 6.3. Considerations for the "iana-ssh-encryption-algs" Module | |||
6.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 59 | 6.4. Considerations for the "iana-ssh-mac-algs" Module | |||
6.2. The "YANG Module Names" Registry . . . . . . . . . . . . 60 | 6.5. Considerations for the "iana-ssh-public-key-algs" Module | |||
6.3. Considerations for the "iana-ssh-encryption-algs" | 6.6. Considerations for the "iana-ssh-key-exchange-algs" Module | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 61 | 7. References | |||
6.4. Considerations for the "iana-ssh-mac-algs" Module . . . . 63 | 7.1. Normative References | |||
6.5. Considerations for the "iana-ssh-public-key-algs" | 7.2. Informative References | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 64 | Appendix A. Script to Generate IANA-Maintained YANG Modules | |||
6.6. Considerations for the "iana-ssh-key-exchange-algs" | Acknowledgements | |||
Module . . . . . . . . . . . . . . . . . . . . . . . . . 66 | Contributors | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 68 | Author's Address | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . 68 | ||||
7.2. Informative References . . . . . . . . . . . . . . . . . 70 | ||||
Appendix A. Script to Generate IANA-Maintained YANG Modules . . 73 | ||||
A.1. Initial Module for the "Encryption Algorithm Names" | ||||
Registry . . . . . . . . . . . . . . . . . . . . . . . . 80 | ||||
A.2. Initial Module for the "MAC Algorithm Names" Registry . . 88 | ||||
A.3. Initial Module for the "Public Key Algorithm Names" | ||||
Registry . . . . . . . . . . . . . . . . . . . . . . . . 91 | ||||
A.4. Initial Module for the "Key Exchange Method Names" | ||||
Registry . . . . . . . . . . . . . . . . . . . . . . . . 99 | ||||
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 143 | ||||
B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 143 | ||||
B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 143 | ||||
B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 143 | ||||
B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 143 | ||||
B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 144 | ||||
B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 144 | ||||
B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 144 | ||||
B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 144 | ||||
B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 145 | ||||
B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 145 | ||||
B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 145 | ||||
B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 145 | ||||
B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 145 | ||||
B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 146 | ||||
B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 146 | ||||
B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 146 | ||||
B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 146 | ||||
B.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 146 | ||||
B.19. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 147 | ||||
B.20. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 147 | ||||
B.21. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 148 | ||||
B.22. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 148 | ||||
B.23. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 148 | ||||
B.24. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 148 | ||||
B.25. 24 to 25 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.26. 25 to 26 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.27. 26 to 27 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.28. 27 to 28 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.29. 28 to 29 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.30. 29 to 30 . . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
B.31. 30 to 31 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.32. 31 to 32 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.33. 32 to 33 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.34. 33 to 34 . . . . . . . . . . . . . . . . . . . . . . . . 150 | ||||
B.35. 34 to 35 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
B.36. 35 to 36 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
B.37. 36 to 38 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
B.38. 38 to 39 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
B.39. 39 to 40 . . . . . . . . . . . . . . . . . . . . . . . . 151 | ||||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 152 | ||||
1. Introduction | 1. Introduction | |||
This document presents seven YANG 1.1 [RFC7950] modules. Three | This document presents three IETF-defined YANG modules [RFC7950] and | |||
"IETF" modules and four "IANA" modules. | a script used to create four supporting IANA modules. | |||
The three IETF modules are ietf-ssh-common (Section 2), ietf-ssh- | The three IETF modules are ietf-ssh-common (Section 2), ietf-ssh- | |||
client (Section 3), and ietf-ssh-server (Section 4). The "ietf-ssh- | client (Section 3), and ietf-ssh-server (Section 4). The "ietf-ssh- | |||
client" and "ietf-ssh-server" modules are the primary productions of | client" and "ietf-ssh-server" modules are the primary productions of | |||
this work, supporting the configuration and monitoring of SSH clients | this work, supporting the configuration and monitoring of SSH clients | |||
and servers. | and servers. | |||
The groupings defined in this document are expected to be used in | The groupings defined in this document are expected to be used in | |||
conjunction with the groupings defined in an underlying transport- | conjunction with the groupings defined in an underlying transport- | |||
level module, such as the groupings defined in | level module, such as the groupings defined in [RFC9643]. The | |||
[I-D.ietf-netconf-tcp-client-server]. The transport-level data model | transport-level data model enables the configuration of transport- | |||
enables the configuration of transport-level values such as a remote | level values, such as a remote address, a remote port, a local | |||
address, a remote port, a local address, and a local port. | address, and a local port. | |||
The four IANA modules are: iana-ssh-encryption-algs (Appendix A.1), | The four IANA modules are: iana-ssh-encryption-algs, iana-ssh-key- | |||
iana-ssh-key-exchange-algs (Appendix A.4), iana-ssh-mac-algs | exchange-algs, iana-ssh-mac-algs, and iana-ssh-public-key-algs. | |||
(Appendix A.2), and iana-ssh-public-key-algs (Appendix A.3). These | These modules each define YANG enumerations providing support for an | |||
modules each define YANG enumerations providing support for an IANA- | IANA-maintained algorithm registry. | |||
maintained algorithm registry. | ||||
This document assumes that the four IANA modules exist, and presents | This document assumes that the four IANA modules exist and presents a | |||
a script in Appendix A that IANA may use to generate the YANG | script in Appendix A that IANA may use to generate those YANG | |||
modules. This document does not publish initial versions of these | modules. This document does not publish the initial versions of | |||
four modules. IANA publishes these modules. | these four modules. IANA publishes these modules. | |||
1.1. Regarding the IETF Modules | 1.1. Regarding the Three IETF Modules | |||
The three IETF modules define features and groupings to model | The three IETF modules define features and groupings to model | |||
"generic" SSH clients and SSH servers, where "generic" should be | "generic" SSH clients and SSH servers, where "generic" should be | |||
interpreted as "least common denominator" rather than "complete." | interpreted as "least common denominator" rather than "complete." | |||
Basic SSH protocol ([RFC4252], [RFC4253], and [RFC4254]) support is | Support for the basic SSH protocol [RFC4252] [RFC4253] [RFC4254] is | |||
afforded by these modules, leaving configuration of advance features | afforded by these modules, leaving configuration of advanced features | |||
(e.g., multiple channels) to augmentations made by consuming modules. | (e.g., multiple channels) to augmentations made by consuming modules. | |||
It is intended that the YANG groupings will be used by applications | It is intended that the YANG groupings will be used by applications | |||
needing to configure SSH client and server protocol stacks. For | needing to configure SSH client and server protocol stacks. For | |||
instance, these groupings are used to help define the data model for | instance, these groupings are used to help define the data models in | |||
NETCONF over SSH [RFC6242] based clients and servers in | [NETCONF-CLIENT-SERVER], for clients and servers using the Network | |||
[I-D.ietf-netconf-netconf-client-server]. | Configuration Protocol (NETCONF) over SSH [RFC6242]. | |||
The ietf-ssh-client and ietf-ssh-server YANG modules each define one | The "ietf-ssh-client" and "ietf-ssh-server" YANG modules each define | |||
grouping, which is focused on just SSH-specific configuration, and | one grouping, which is focused on just SSH-specific configuration, | |||
specifically avoids any transport-level configuration, such as what | and specifically avoid any transport-level configuration, such as | |||
ports to listen on or connect to. This affords applications the | what ports to listen on or connect to. This affords applications the | |||
opportunity to define their own strategy for how the underlying TCP | opportunity to define their own strategy for how the underlying TCP | |||
connection is established. For instance, applications supporting | connection is established. For instance, applications supporting | |||
NETCONF Call Home [RFC8071] could use the "ssh-server-grouping" | NETCONF Call Home [RFC8071] could use the "ssh-server-grouping" | |||
grouping for the SSH parts it provides, while adding data nodes for | grouping for the SSH parts it provides while adding data nodes for | |||
the TCP-level call-home configuration. | the TCP-level call-home configuration. | |||
The modules defined in this document optionally support [RFC6187] | The modules defined in this document optionally support [RFC6187], | |||
enabling X.509v3 certificate based host keys and public keys. | which describes enabling host keys and public keys based on X.509v3 | |||
certificates. | ||||
1.2. Relation to other RFCs | 1.2. Relation to Other RFCs | |||
This document presents one or more YANG modules [RFC7950] that are | This document presents three YANG modules [RFC7950] that are part of | |||
part of a collection of RFCs that work together to, ultimately, | a collection of RFCs that work together to ultimately support the | |||
support the configuration of both the clients and servers of both the | configuration of both the clients and servers of both the NETCONF | |||
NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. | [RFC6241] and RESTCONF [RFC8040] protocols. | |||
The dependency relationship between the primary YANG groupings | The dependency relationship between the primary YANG groupings | |||
defined in the various RFCs is presented in the below diagram. In | defined in the various RFCs is presented in the below diagram. In | |||
some cases, a draft may define secondary groupings that introduce | some cases, a document may define secondary groupings that introduce | |||
dependencies not illustrated in the diagram. The labels in the | dependencies not illustrated in the diagram. The labels in the | |||
diagram are a shorthand name for the defining RFC. The citation | diagram are shorthand names for the defining RFCs. The citation | |||
reference for shorthand name is provided below the diagram. | references for shorthand names are provided below the diagram. | |||
Please note that the arrows in the diagram point from referencer to | Please note that the arrows in the diagram point from referencer to | |||
referenced. For example, the "crypto-types" RFC does not have any | referenced. For example, the "crypto-types" RFC does not have any | |||
dependencies, whilst the "keystore" RFC depends on the "crypto-types" | dependencies, whilst the "keystore" RFC depends on the "crypto-types" | |||
RFC. | RFC. | |||
crypto-types | crypto-types | |||
^ ^ | ^ ^ | |||
/ \ | / \ | |||
/ \ | / \ | |||
skipping to change at page 8, line 5 ¶ | skipping to change at line 196 ¶ | |||
| | | | | ^ | | | | | | ^ | |||
| | | +-----+ +---------+ | | | | | +-----+ +---------+ | | |||
| | | | | | | | | | | | | | |||
| +-----------|--------|--------------+ | | | | +-----------|--------|--------------+ | | | |||
| | | | | | | | | | | | | | |||
+-----------+ | | | | | | +-----------+ | | | | | | |||
| | | | | | | | | | | | | | |||
| | | | | | | | | | | | | | |||
netconf-client-server restconf-client-server | netconf-client-server restconf-client-server | |||
+======================+===========================================+ | +========================+==========================+ | |||
|Label in Diagram | Originating RFC | | | Label in Diagram | Reference | | |||
+======================+===========================================+ | +========================+==========================+ | |||
|crypto-types | [I-D.ietf-netconf-crypto-types] | | | crypto-types | [RFC9640] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|truststore | [I-D.ietf-netconf-trust-anchors] | | | truststore | [RFC9641] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|keystore | [I-D.ietf-netconf-keystore] | | | keystore | [RFC9642] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | | | tcp-client-server | [RFC9643] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | | | ssh-client-server | RFC9644 | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|tls-client-server | [I-D.ietf-netconf-tls-client-server] | | | tls-client-server | [RFC9645] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|http-client-server | [I-D.ietf-netconf-http-client-server] | | | http-client-server | [HTTP-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | | | netconf-client-server | [NETCONF-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|restconf-client-server| [I-D.ietf-netconf-restconf-client-server] | | | restconf-client-server | [RESTCONF-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
Table 1: Label in Diagram to RFC Mapping | Table 1: Label in Diagram to RFC Mapping | |||
1.3. Specification Language | 1.3. Specification Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
1.4. Adherence to the NMDA | 1.4. Adherence to the NMDA | |||
This document is compliant with the Network Management Datastore | This document is compliant with the Network Management Datastore | |||
Architecture (NMDA) [RFC8342]. For instance, as described in | Architecture (NMDA) [RFC8342]. For instance, as described in | |||
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore], | [RFC9641] and [RFC9642], trust anchors and keys installed during | |||
trust anchors and keys installed during manufacturing are expected to | manufacturing are expected to appear in <operational> (Section 5.3 of | |||
appear in <operational> (Section 5.3 of [RFC8342]), and <system> | [RFC8342]) and <system> [SYSTEM-CONFIG] if implemented. | |||
[I-D.ietf-netmod-system-config], if implemented. | ||||
1.5. Conventions | 1.5. Conventions | |||
Various examples in this document use "BASE64VALUE=" as a placeholder | Various examples in this document use "BASE64VALUE=" as a placeholder | |||
value for binary data that has been base64 encoded (per Section 9.8 | value for binary data that has been base64 encoded (per Section 9.8 | |||
of [RFC7950]). This placeholder value is used because real base64 | of [RFC7950]). This placeholder value is used because real | |||
encoded structures are often many lines long and hence distracting to | base64-encoded structures are often many lines long and hence | |||
the example being presented. | distracting to the example being presented. | |||
Various examples in this document use the XML [W3C.REC-xml-20081126] | ||||
encoding. Other encodings, such as JSON [RFC8259], could | ||||
alternatively be used. | ||||
Various examples in this document contain long lines that may be | ||||
folded, as described in [RFC8792]. | ||||
2. The "ietf-ssh-common" Module | 2. The "ietf-ssh-common" Module | |||
The SSH common model presented in this section contains features and | The SSH common model presented in this section is common to both SSH | |||
groupings common to both SSH clients and SSH servers. The | clients and SSH servers. The "transport-params-grouping" grouping | |||
"transport-params-grouping" grouping can be used to configure the | can be used to configure the list of SSH transport algorithms | |||
list of SSH transport algorithms permitted by the SSH client or SSH | permitted by the SSH client or SSH server. The lists of permitted | |||
server. The lists of permitted algorithms are in decreasing order of | algorithms are in decreasing order of usage preference. The | |||
usage preference. The algorithm that appears first in the client | algorithm that appears first in the client list that also appears in | |||
list that also appears in the server list is the one that is used for | the server list is the one that is used for the SSH transport layer | |||
the SSH transport layer connection. The ability to restrict the | connection. The ability to restrict the algorithms allowed is | |||
algorithms allowed is provided in this grouping for SSH clients and | provided in this grouping for SSH clients and SSH servers that are | |||
SSH servers that are capable of doing so and may serve to make SSH | capable of doing so and may serve to make SSH clients and SSH servers | |||
clients and SSH servers compliant with security policies. | compliant with security policies. | |||
2.1. Data Model Overview | 2.1. Data Model Overview | |||
This section provides an overview of the "ietf-ssh-common" module in | This section provides an overview of the "ietf-ssh-common" module in | |||
terms of its features, identities, and groupings. | terms of its features, identities, groupings, and protocol-accessible | |||
nodes. | ||||
2.1.1. Features | 2.1.1. Features | |||
The following diagram lists all the "feature" statements defined in | The following diagram lists all the "feature" statements defined in | |||
the "ietf-ssh-common" module: | the "ietf-ssh-common" module: | |||
Features: | Features: | |||
+-- ssh-x509-certs | +-- ssh-x509-certs | |||
+-- transport-params | +-- transport-params | |||
+-- asymmetric-key-pair-generation | +-- asymmetric-key-pair-generation | |||
skipping to change at page 10, line 18 ¶ | skipping to change at line 314 ¶ | |||
+-- key-exchange | +-- key-exchange | |||
| +-- key-exchange-alg* ssh-key-exchange-algorithm | | +-- key-exchange-alg* ssh-key-exchange-algorithm | |||
+-- encryption | +-- encryption | |||
| +-- encryption-alg* ssh-encryption-algorithm | | +-- encryption-alg* ssh-encryption-algorithm | |||
+-- mac | +-- mac | |||
+-- mac-alg* ssh-mac-algorithm | +-- mac-alg* ssh-mac-algorithm | |||
Comments: | Comments: | |||
* This grouping is used by both the "ssh-client-grouping" and the | * This grouping is used by both the "ssh-client-grouping" and the | |||
"ssh-server-grouping" groupings defined in Section 3.1.2.1 and | "ssh-server-grouping" groupings defined in Sections 3.1.2.1 and | |||
Section 4.1.2.1, respectively. | 4.1.2.1, respectively. | |||
* This grouping enables client and server configurations to specify | * This grouping enables client and server configurations to specify | |||
the algorithms that are to be used when establishing SSH sessions. | the algorithms that are to be used when establishing SSH sessions. | |||
* Each list is "ordered-by user". | * Each list is "ordered-by user". | |||
2.1.3. Protocol-accessible Nodes | 2.1.3. Protocol-Accessible Nodes | |||
The following tree diagram [RFC8340] lists all the protocol- | The following tree diagram [RFC8340] lists all the protocol- | |||
accessible nodes defined in the "ietf-ssh-common" module, without | accessible nodes defined in the "ietf-ssh-common" module without | |||
expanding the "grouping" statements: | expanding the "grouping" statements: | |||
module: ietf-ssh-common | module: ietf-ssh-common | |||
+--ro supported-algorithms {algorithm-discovery}? | +--ro supported-algorithms {algorithm-discovery}? | |||
+--ro public-key-algorithms | +--ro public-key-algorithms | |||
| +--ro supported-algorithm* ssh-public-key-algorithm | | +--ro supported-algorithm* ssh-public-key-algorithm | |||
+--ro encryption-algorithms | +--ro encryption-algorithms | |||
| +--ro supported-algorithm* ssh-encryption-algorithm | | +--ro supported-algorithm* ssh-encryption-algorithm | |||
+--ro key-exchange-algorithms | +--ro key-exchange-algorithms | |||
| +--ro supported-algorithm* ssh-key-exchange-algorithm | | +--ro supported-algorithm* ssh-key-exchange-algorithm | |||
skipping to change at page 11, line 46 ¶ | skipping to change at line 369 ¶ | |||
+--ro location? | +--ro location? | |||
instance-identifier | instance-identifier | |||
Comments: | Comments: | |||
* Protocol-accessible nodes are those nodes that are accessible when | * Protocol-accessible nodes are those nodes that are accessible when | |||
the module is "implemented", as described in Section 5.6.5 of | the module is "implemented", as described in Section 5.6.5 of | |||
[RFC7950]. | [RFC7950]. | |||
* The protocol-accessible nodes for the "ietf-ssh-common" module are | * The protocol-accessible nodes for the "ietf-ssh-common" module are | |||
limited to "supported-algorithms" container, which is constrained | limited to the "supported-algorithms" container, which is | |||
by the "algorithm-discovery" feature, and the RPC "generate- | constrained by the "algorithm-discovery" feature, and the | |||
asymmetric-key-pair", which is constrained by the "asymmetric-key- | "generate-asymmetric-key-pair" RPC, which is constrained by the | |||
pair-generation" feature. | "asymmetric-key-pair-generation" feature. | |||
* The "encrypted-by-grouping" grouping is discussed in | * The "encrypted-by-grouping" grouping is discussed in | |||
Section 2.1.3.1 of [I-D.ietf-netconf-keystore]. | Section 2.1.3.1 of [RFC9642]. | |||
* The "asymmetric-key-pair-grouping" grouping is discussed in | * The "asymmetric-key-pair-grouping" grouping is discussed in | |||
Section 2.1.4.6 of [I-D.ietf-netconf-crypto-types]. | Section 2.1.4.6 of [RFC9640]. | |||
2.2. Example Usage | 2.2. Example Usage | |||
The following example illustrates the "transport-params-grouping' | The following example illustrates the "transport-params-grouping' | |||
grouping when populated with some data. | grouping when populated with some data. | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
skipping to change at page 14, line 40 ¶ | skipping to change at line 498 ¶ | |||
n:public-key-format> | n:public-key-format> | |||
<sshcmn:public-key>BASE64VALUE=</sshcmn:public-key> | <sshcmn:public-key>BASE64VALUE=</sshcmn:public-key> | |||
<sshcmn:private-key-format>ct:ec-private-key-format</sshcmn:privat\ | <sshcmn:private-key-format>ct:ec-private-key-format</sshcmn:privat\ | |||
e-key-format> | e-key-format> | |||
<sshcmn:cleartext-private-key>BASE64VALUE=</sshcmn:cleartext-priva\ | <sshcmn:cleartext-private-key>BASE64VALUE=</sshcmn:cleartext-priva\ | |||
te-key> | te-key> | |||
</rpc-reply> | </rpc-reply> | |||
2.3. YANG Module | 2.3. YANG Module | |||
This YANG module has normative references to [RFC4253], [RFC4344], | This YANG module has normative references to [RFC4250], [RFC4253], | |||
[RFC4419], [RFC5656], [RFC6187], [RFC6668], and [FIPS_186-6]. | [RFC6187], and [FIPS_186-5]. | |||
<CODE BEGINS> file "ietf-ssh-common@2024-03-16.yang" | <CODE BEGINS> file "ietf-ssh-common@2024-03-16.yang" | |||
module ietf-ssh-common { | module ietf-ssh-common { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; | |||
prefix sshcmn; | prefix sshcmn; | |||
import ietf-crypto-types { | ||||
prefix ct; | ||||
reference | ||||
"RFC 9640: YANG Data Types and Groupings for Cryptography"; | ||||
} | ||||
import ietf-keystore { | ||||
prefix ks; | ||||
reference | ||||
"RFC 9642: A YANG Data Model for a Keystore"; | ||||
} | ||||
import iana-ssh-encryption-algs { | import iana-ssh-encryption-algs { | |||
prefix sshea; | prefix sshea; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
import iana-ssh-key-exchange-algs { | import iana-ssh-key-exchange-algs { | |||
prefix sshkea; | prefix sshkea; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
import iana-ssh-mac-algs { | import iana-ssh-mac-algs { | |||
prefix sshma; | prefix sshma; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
import iana-ssh-public-key-algs { | import iana-ssh-public-key-algs { | |||
prefix sshpka; | prefix sshpka; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | ||||
import ietf-crypto-types { | ||||
prefix ct; | ||||
reference | ||||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | ||||
} | ||||
import ietf-keystore { | ||||
prefix ks; | ||||
reference | ||||
"RFC CCCC: A YANG Data Model for a Keystore"; | ||||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG Web: https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
WG List: NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Gary Wu <mailto:garywu@cisco.com>"; | Author: Gary Wu <mailto:garywu@cisco.com>"; | |||
description | description | |||
"This module defines a common features and groupings for | "This module defines common features and groupings for | |||
Secure Shell (SSH). | Secure Shell (SSH). | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC EEEE | This version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Features | // Features | |||
feature ssh-x509-certs { | feature ssh-x509-certs { | |||
description | description | |||
"X.509v3 certificates are supported for SSH."; | "X.509v3 certificates are supported for SSH."; | |||
reference | reference | |||
"RFC 6187: X.509v3 Certificates for Secure Shell | "RFC 6187: X.509v3 Certificates for Secure Shell | |||
Authentication"; | Authentication"; | |||
skipping to change at page 17, line 4 ¶ | skipping to change at line 604 ¶ | |||
feature transport-params { | feature transport-params { | |||
description | description | |||
"SSH transport layer parameters are configurable."; | "SSH transport layer parameters are configurable."; | |||
} | } | |||
feature asymmetric-key-pair-generation { | feature asymmetric-key-pair-generation { | |||
description | description | |||
"Indicates that the server implements the | "Indicates that the server implements the | |||
'generate-asymmetric-key-pair' RPC."; | 'generate-asymmetric-key-pair' RPC."; | |||
} | } | |||
feature algorithm-discovery { | feature algorithm-discovery { | |||
description | description | |||
"Indicates that the server implements the | "Indicates that the server implements the | |||
'supported-algorithms' container."; | 'supported-algorithms' container."; | |||
} | } | |||
// Typedefs | // Typedefs | |||
typedef ssh-public-key-algorithm { | typedef ssh-public-key-algorithm { | |||
type union { | type union { | |||
type sshpka:ssh-public-key-algorithm; | type sshpka:ssh-public-key-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the public key algorithm to be | "A type that enables the public key algorithm to be | |||
either an IANA-maintained public key algorithm in | either an IANA-maintained public key algorithm in | |||
the 'iana-ssh-public-key-algs' YANG module (RFC EEEE), | the 'iana-ssh-public-key-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-key-exchange-algorithm { | typedef ssh-key-exchange-algorithm { | |||
type union { | type union { | |||
type sshkea:ssh-key-exchange-algorithm; | type sshkea:ssh-key-exchange-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC 4250."; | |||
4250."; | ||||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC 4250."; | |||
4250."; | ||||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the key exchange algorithm to be | "A type that enables the key exchange algorithm to be | |||
either an IANA-maintained key exchange algorithm in | either an IANA-maintained key exchange algorithm in | |||
the 'iana-ssh-key-exchange-algs' YANG module (RFC EEEE), | the 'iana-ssh-key-exchange-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-encryption-algorithm { | typedef ssh-encryption-algorithm { | |||
type union { | type union { | |||
type sshea:ssh-encryption-algorithm; | type sshea:ssh-encryption-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the encryption algorithm to be | "A type that enables the encryption algorithm to be | |||
either an IANA-maintained encryption algorithm in | either an IANA-maintained encryption algorithm in | |||
the 'iana-ssh-encryption-algs' YANG module (RFC EEEE), | the 'iana-ssh-encryption-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-mac-algorithm { | typedef ssh-mac-algorithm { | |||
type union { | type union { | |||
type sshma:ssh-mac-algorithm; | type sshma:ssh-mac-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the MAC algorithm to be | "A type that enables the message authentication code (MAC) | |||
either an IANA-maintained MAC algorithm in | algorithm to be either an IANA-maintained MAC algorithm | |||
the 'iana-ssh-mac-algs' YANG module (RFC EEEE), | in the 'iana-ssh-mac-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping transport-params-grouping { | grouping transport-params-grouping { | |||
description | description | |||
"A reusable grouping for SSH transport parameters."; | "A reusable grouping for SSH transport parameters."; | |||
reference | reference | |||
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | |||
container host-key { | container host-key { | |||
description | description | |||
"Parameters regarding host key."; | "Parameters regarding host key."; | |||
leaf-list host-key-alg { | leaf-list host-key-alg { | |||
type ssh-public-key-algorithm; | type ssh-public-key-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable host key algorithms in order of decreasing | "Acceptable host key algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable host key algorithms are implementation- | elements), the acceptable host key algorithms are | |||
defined."; | implementation-defined."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
} | } | |||
container key-exchange { | container key-exchange { | |||
description | description | |||
"Parameters regarding key exchange."; | "Parameters regarding key exchange."; | |||
leaf-list key-exchange-alg { | leaf-list key-exchange-alg { | |||
type ssh-key-exchange-algorithm; | type ssh-key-exchange-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable key exchange algorithms in order of decreasing | "Acceptable key exchange algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable key exchange algorithms are implementation | elements), the acceptable key exchange algorithms are | |||
defined."; | implementation-defined."; | |||
} | } | |||
} | } | |||
container encryption { | container encryption { | |||
description | description | |||
"Parameters regarding encryption."; | "Parameters regarding encryption."; | |||
leaf-list encryption-alg { | leaf-list encryption-alg { | |||
type ssh-encryption-algorithm; | type ssh-encryption-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable encryption algorithms in order of decreasing | "Acceptable encryption algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable encryption algorithms are implementation | elements), the acceptable encryption algorithms are | |||
defined."; | implementation-defined."; | |||
} | } | |||
} | } | |||
container mac { | container mac { | |||
description | description | |||
"Parameters regarding message authentication code (MAC)."; | "Parameters regarding message authentication code (MAC)."; | |||
leaf-list mac-alg { | leaf-list mac-alg { | |||
type ssh-mac-algorithm; | type ssh-mac-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable MAC algorithms in order of decreasing | "Acceptable MAC algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable MAC algorithms are implementation- | elements), the acceptable MAC algorithms are | |||
defined."; | implementation-defined."; | |||
} | } | |||
} | } | |||
} | } | |||
// Protocol-accessible Nodes | // Protocol-accessible Nodes | |||
container supported-algorithms { | container supported-algorithms { | |||
if-feature "algorithm-discovery"; | if-feature "algorithm-discovery"; | |||
config false; | config false; | |||
description | description | |||
skipping to change at page 22, line 43 ¶ | skipping to change at line 890 ¶ | |||
type ssh-public-key-algorithm; | type ssh-public-key-algorithm; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"The algorithm to be used when generating the key."; | "The algorithm to be used when generating the key."; | |||
} | } | |||
leaf num-bits { | leaf num-bits { | |||
type uint16; | type uint16; | |||
description | description | |||
"Specifies the number of bits in the key to create. | "Specifies the number of bits in the key to create. | |||
For RSA keys, the minimum size is 1024 bits and | For RSA keys, the minimum size is 1024 bits and | |||
the default is 3072 bits. Generally, 3072 bits is | the default is 3072 bits. Generally, 3072 bits is | |||
considered sufficient. DSA keys must be exactly 1024 | considered sufficient. DSA keys must be exactly 1024 | |||
bits as specified by FIPS 186-6. For ECDSA keys, the | bits, as specified by FIPS 186-5. For Elliptic Curve | |||
Digital Signature Algorithm (ECDSA) keys, the | ||||
'num-bits' value determines the key length by selecting | 'num-bits' value determines the key length by selecting | |||
from one of three elliptic curve sizes: 256, 384 or | from one of three elliptic curve sizes: 256, 384, or | |||
521 bits. Attempting to use bit lengths other than | 521 bits. Attempting to use bit lengths other than | |||
these three values for ECDSA keys will fail. ECDSA-SK, | these three values for ECDSA keys will fail. ECDSA-SK, | |||
Ed25519 and Ed25519-SK keys have a fixed length and | Ed25519, and Ed25519-SK keys have a fixed length, and | |||
thus the 'num-bits' value is not specified."; | thus, the 'num-bits' value is not specified."; | |||
reference | reference | |||
"FIPS 186-6: Digital Signature Standard (DSS)"; | "FIPS 186-5: Digital Signature Standard (DSS)"; | |||
} | } | |||
container private-key-encoding { | container private-key-encoding { | |||
description | description | |||
"Indicates how the private key is to be encoded."; | "Indicates how the private key is to be encoded."; | |||
choice private-key-encoding { | choice private-key-encoding { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst optional private key handling."; | "A choice amongst optional private key handling."; | |||
case cleartext { | case cleartext { | |||
if-feature "ct:cleartext-private-keys"; | if-feature "ct:cleartext-private-keys"; | |||
skipping to change at page 23, line 28 ¶ | skipping to change at line 923 ¶ | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be returned | "Indicates that the private key is to be returned | |||
as a cleartext value."; | as a cleartext value."; | |||
} | } | |||
} | } | |||
case encrypted { | case encrypted { | |||
if-feature "ct:encrypted-private-keys"; | if-feature "ct:encrypted-private-keys"; | |||
container encrypted { | container encrypted { | |||
description | description | |||
"Indicates that the private key is to be encrypted | "Indicates that the private key is to be encrypted | |||
using the specified symmetric or asymmetric key."; | using the specified symmetric or asymmetric key."; | |||
uses ks:encrypted-by-grouping; | uses ks:encrypted-by-grouping; | |||
} | } | |||
} | } | |||
case hidden { | case hidden { | |||
if-feature "ct:hidden-private-keys"; | if-feature "ct:hidden-private-keys"; | |||
leaf hidden { | leaf hidden { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be hidden. | "Indicates that the private key is to be hidden. | |||
Unlike the 'cleartext' and 'encrypt' options, the | Unlike the 'cleartext' and 'encrypt' options, the | |||
key returned is a placeholder for an internally | key returned is a placeholder for an internally | |||
stored key. See the 'Support for Built-in Keys' | stored key. See the 'Support for Built-in Keys' | |||
section in RFC CCCC for information about hidden | section in RFC 9642 for information about hidden | |||
keys. | keys. | |||
It is expected that the server will instantiate | It is expected that the server will instantiate | |||
the hidden key in the same location where built-in | the hidden key in the same location where built-in | |||
keys are located. Rather than return the key, | keys are located. Rather than returning the key, | |||
just the key's location is returned in the output."; | just the key's location is returned in the output."; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
output { | output { | |||
choice key-or-hidden { | choice key-or-hidden { | |||
case key { | case key { | |||
uses ct:asymmetric-key-pair-grouping; | uses ct:asymmetric-key-pair-grouping; | |||
} | } | |||
case hidden { | case hidden { | |||
leaf location { | leaf location { | |||
type instance-identifier; | type instance-identifier; | |||
skipping to change at page 24, line 28 ¶ | skipping to change at line 971 ¶ | |||
} | } | |||
description | description | |||
"The output can be either a key (for cleartext and | "The output can be either a key (for cleartext and | |||
encrypted keys) or the location to where the key | encrypted keys) or the location to where the key | |||
was created (for hidden keys)."; | was created (for hidden keys)."; | |||
} | } | |||
} | } | |||
} // end generate-asymmetric-key-pair | } // end generate-asymmetric-key-pair | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
3. The "ietf-ssh-client" Module | 3. The "ietf-ssh-client" Module | |||
This section defines a YANG 1.1 [RFC7950] module called "ietf-ssh- | This section defines a YANG 1.1 [RFC7950] module called "ietf-ssh- | |||
client". A high-level overview of the module is provided in | client". A high-level overview of the module is provided in | |||
Section 3.1. Examples illustrating the module's use are provided in | Section 3.1. Examples illustrating the module's use are provided in | |||
Examples (Section 3.2). The YANG module itself is defined in | Section 3.2 ("Example Usage"). The YANG module itself is defined in | |||
Section 3.3. | Section 3.3. | |||
3.1. Data Model Overview | 3.1. Data Model Overview | |||
This section provides an overview of the "ietf-ssh-client" module in | This section provides an overview of the "ietf-ssh-client" module in | |||
terms of its features and groupings. | terms of its features and groupings. | |||
3.1.1. Features | 3.1.1. Features | |||
The following diagram lists all the "feature" statements defined in | The following diagram lists all the "feature" statements defined in | |||
skipping to change at page 26, line 51 ¶ | skipping to change at line 1063 ¶ | |||
"feature" statement. | "feature" statement. | |||
* The "transport-params" node, which must be enabled by a feature, | * The "transport-params" node, which must be enabled by a feature, | |||
configures parameters for the SSH sessions established by this | configures parameters for the SSH sessions established by this | |||
configuration. | configuration. | |||
* The "keepalives" node, which must be enabled by a feature, | * The "keepalives" node, which must be enabled by a feature, | |||
configures a "presence" container for testing the aliveness of the | configures a "presence" container for testing the aliveness of the | |||
SSH server. The aliveness-test occurs at the SSH protocol layer. | SSH server. The aliveness-test occurs at the SSH protocol layer. | |||
* For the referenced grouping statement(s): | * For the referenced grouping statements: | |||
- The "inline-or-keystore-asymmetric-key-grouping" grouping is | - The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. | discussed in Section 2.1.3.4 of [RFC9642]. | |||
- The "inline-or-keystore-end-entity-cert-with-key-grouping" | - The "inline-or-keystore-end-entity-cert-with-key-grouping" | |||
grouping is discussed in Section 2.1.3.6 of | grouping is discussed in Section 2.1.3.6 of [RFC9642]. | |||
[I-D.ietf-netconf-keystore]. | ||||
- The "inline-or-truststore-public-keys-grouping" grouping is | - The "inline-or-truststore-public-keys-grouping" grouping is | |||
discussed in Section 2.1.3.4 of | discussed in Section 2.1.3.4 of [RFC9641]. | |||
[I-D.ietf-netconf-trust-anchors]. | ||||
- The "inline-or-truststore-certs-grouping" grouping is discussed | - The "inline-or-truststore-certs-grouping" grouping is discussed | |||
in Section 2.1.3.3 of [I-D.ietf-netconf-trust-anchors]. | in Section 2.1.3.3 of [RFC9641]. | |||
- The "transport-params-grouping" grouping is discussed in | - The "transport-params-grouping" grouping is discussed in | |||
Section 2.1.2.1 in this document. | Section 2.1.2.1 in this document. | |||
3.1.3. Protocol-accessible Nodes | 3.1.3. Protocol-Accessible Nodes | |||
The "ietf-ssh-client" module defines only "grouping" statements that | The "ietf-ssh-client" module defines only "grouping" statements that | |||
are used by other modules to instantiate protocol-accessible nodes. | are used by other modules to instantiate protocol-accessible nodes. | |||
Thus this module, when implemented, does not itself define any | Thus, this module, when implemented, does not itself define any | |||
protocol-accessible nodes. | protocol-accessible nodes. | |||
3.2. Example Usage | 3.2. Example Usage | |||
This section presents two examples showing the "ssh-client-grouping" | This section presents two examples showing the "ssh-client-grouping" | |||
grouping populated with some data. These examples are effectively | grouping populated with some data. These examples are effectively | |||
the same except the first configures the client identity using a | the same, except the first configures the client identity using an | |||
inlined key while the second uses a key configured in a keystore. | inlined key, while the second uses a key configured in a keystore. | |||
Both examples are consistent with the examples presented in | Both examples are consistent with the examples presented in | |||
Section 2.2.1 of [I-D.ietf-netconf-trust-anchors] and Section 2.2.1 | Section 2.2.1 of [RFC9641] and Section 2.2.1 of [RFC9642]. | |||
of [I-D.ietf-netconf-keystore]. | ||||
The following configuration example uses inline-definitions for the | The following configuration example uses inline-definitions for the | |||
client identity and server authentication: | client identity and server authentication: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-client | <ssh-client | |||
skipping to change at page 29, line 4 ¶ | skipping to change at line 1162 ¶ | |||
<certificate> | <certificate> | |||
<name>My Application #1</name> | <name>My Application #1</name> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
<certificate> | <certificate> | |||
<name>My Application #2</name> | <name>My Application #2</name> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
</inline-definition> | </inline-definition> | |||
</ee-certs> | </ee-certs> | |||
</server-authentication> | </server-authentication> | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-client> | </ssh-client> | |||
The following configuration example uses central-keystore-references | The following configuration example uses central-keystore-references | |||
for the client identity and central-truststore-references for server | for the client identity and central-truststore-references for server | |||
authentication: from the keystore: | authentication from the keystore: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-client | <ssh-client | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-client" | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-client" | |||
xmlns:algs="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | xmlns:algs="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | |||
skipping to change at page 31, line 8 ¶ | skipping to change at line 1225 ¶ | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-client> | </ssh-client> | |||
3.3. YANG Module | 3.3. YANG Module | |||
This YANG module has normative references to [RFC4252], [RFC4254], | This YANG module has normative references to [RFC4252], [RFC4254], | |||
[RFC8341], [I-D.ietf-netconf-crypto-types], | [RFC8341], [RFC9640], [RFC9641], and [RFC9642]. | |||
[I-D.ietf-netconf-trust-anchors], and [I-D.ietf-netconf-keystore]. | ||||
<CODE BEGINS> file "ietf-ssh-client@2024-03-16.yang" | <CODE BEGINS> file "ietf-ssh-client@2024-03-16.yang" | |||
module ietf-ssh-client { | module ietf-ssh-client { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client"; | |||
prefix sshc; | prefix sshc; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-ssh-common { | import ietf-ssh-common { | |||
prefix sshcmn; | prefix sshcmn; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG Web: https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
WG List: NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | |||
description | description | |||
"This module defines a reusable grouping for SSH clients that | "This module defines a reusable grouping for SSH clients that | |||
can be used as a basis for specific SSH client instances. | can be used as a basis for specific SSH client instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC EEEE | This version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Features | // Features | |||
feature ssh-client-keepalives { | feature ssh-client-keepalives { | |||
description | description | |||
"Per socket SSH keepalive parameters are configurable for | "SSH keepalive parameters are configurable for | |||
SSH clients on the server implementing this feature."; | SSH clients on the server implementing this feature."; | |||
} | } | |||
feature client-ident-publickey { | feature client-ident-publickey { | |||
description | description | |||
"Indicates that the 'publickey' authentication type, per | "Indicates that the 'publickey' authentication type, per | |||
RFC 4252, is supported for client identification. | RFC 4252, is supported for client identification. | |||
The 'publickey' authentication type is required by | The 'publickey' authentication type is required by | |||
RFC 4252, but common implementations allow it to | RFC 4252, but common implementations allow it to | |||
be disabled."; | be disabled."; | |||
skipping to change at page 33, line 43 ¶ | skipping to change at line 1355 ¶ | |||
It is NOT RECOMMENDED to enable this feature."; | It is NOT RECOMMENDED to enable this feature."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping ssh-client-grouping { | grouping ssh-client-grouping { | |||
description | description | |||
"A reusable grouping for configuring a SSH client without | "A reusable grouping for configuring an SSH client without | |||
any consideration for how an underlying TCP session is | any consideration for how an underlying TCP session is | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a nesting of 'uses' statements will | node names such that a nesting of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'ssh-client-parameters'). This model purposely does | 'ssh-client-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container client-identity { | container client-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"The username and authentication methods for the client. | "The username and authentication methods for the client. | |||
The authentication methods are unordered. Clients may | The authentication methods are unordered. Clients may | |||
initially send any configured method or, per RFC 4252, | initially send any configured method or, per Section 5.2 of | |||
Section 5.2, send the 'none' method to prompt the server | RFC 4252, send the 'none' method to prompt the server | |||
to provide a list of productive methods. Whenever a | to provide a list of productive methods. Whenever a | |||
choice amongst methods arises, implementations SHOULD | choice amongst methods arises, implementations SHOULD | |||
use a default ordering that prioritizes automation | use a default ordering that prioritizes automation | |||
over human-interaction."; | over human interaction."; | |||
leaf username { | leaf username { | |||
type string; | type string; | |||
description | description | |||
"The username of this user. This will be the username | "The username of this user. This will be the username | |||
used, for instance, to log into an SSH server."; | used, for instance, to log into an SSH server."; | |||
} | } | |||
container public-key { | container public-key { | |||
if-feature "client-ident-publickey"; | if-feature "client-ident-publickey"; | |||
presence | presence | |||
"Indicates that publickey-based authentication has been | "Indicates that public-key-based authentication has been | |||
configured. This statement is present so the mandatory | configured. This statement is present so the mandatory | |||
descendant nodes do not imply that this node must be | descendant nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A locally-defined or referenced asymmetric key | "A locally defined or referenced asymmetric key | |||
pair to be used for client identification."; | pair to be used for client identification."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:ssh-public-key-format")'; | + '(public-key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
+ 'from-or-self(deref(.)/../ks:public-key-format, ' | + 'from-or-self(deref(.)/../ks:public-key-format, ' | |||
+ '"ct:ssh-public-key-format")'; | + '"ct:ssh-public-key-format")'; | |||
skipping to change at page 35, line 17 ¶ | skipping to change at line 1425 ¶ | |||
descendant nodes do not imply that this node must be | descendant nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A password to be used to authenticate the client's | "A password to be used to authenticate the client's | |||
identity."; | identity."; | |||
uses ct:password-grouping; | uses ct:password-grouping; | |||
} | } | |||
container hostbased { | container hostbased { | |||
if-feature "client-ident-hostbased"; | if-feature "client-ident-hostbased"; | |||
presence | presence | |||
"Indicates that hostbased authentication is configured. | "Indicates that host-based authentication is configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A locally-defined or referenced asymmetric key | "A locally defined or referenced asymmetric key | |||
pair to be used for host identification."; | pair to be used for host identification."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self(' | must 'not(public-key-format) or derived-from-or-self(' | |||
+ 'public-key-format, "ct:ssh-public-key-format")'; | + 'public-key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
+ 'from-or-self(deref(.)/../ks:public-key-format, ' | + 'from-or-self(deref(.)/../ks:public-key-format, ' | |||
+ '"ct:ssh-public-key-format")'; | + '"ct:ssh-public-key-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
leaf none { | leaf none { | |||
if-feature "client-ident-none"; | if-feature "client-ident-none"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that 'none' algorithm is used for client | "Indicates that the 'none' algorithm is used for client | |||
identification."; | identification."; | |||
} | } | |||
container certificate { | container certificate { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that certificate-based authentication has been | "Indicates that certificate-based authentication has been | |||
configured. This statement is present so the mandatory | configured. This statement is present so the mandatory | |||
descendant nodes do not imply that this node must be | descendant nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A locally-defined or referenced certificate | "A locally defined or referenced certificate | |||
to be used for client identification."; | to be used for client identification."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses | uses | |||
ks:inline-or-keystore-end-entity-cert-with-key-grouping { | ks:inline-or-keystore-end-entity-cert-with-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self(' | must 'not(public-key-format) or derived-from-or-self(' | |||
+ 'public-key-format, "ct:subject-public-key-info-' | + 'public-key-format, "ct:subject-public-key-info-' | |||
+ 'format")'; | + 'format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
skipping to change at page 36, line 45 ¶ | skipping to change at line 1500 ¶ | |||
presence | presence | |||
"Indicates that the SSH host key have been configured. | "Indicates that the SSH host key have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A bag of SSH host keys used by the SSH client to | "A bag of SSH host keys used by the SSH client to | |||
authenticate SSH server host keys. A server host key | authenticate SSH server host keys. A server host key | |||
is authenticated if it is an exact match to a | is authenticated if it is an exact match to a | |||
configured SSH host key."; | configured SSH host key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine | refine | |||
"inline-or-truststore/inline/inline-definition/public" | "inline-or-truststore/inline/inline-definition/public" | |||
+ "-key" { | + "-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:ssh-public-key-format")'; | + ' "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
skipping to change at page 37, line 19 ¶ | skipping to change at line 1523 ¶ | |||
} | } | |||
} | } | |||
} | } | |||
container ca-certs { | container ca-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that the CA certificates have been configured. | "Indicates that the CA certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of Certification Authority (CA) certificates used by | |||
the SSH client to authenticate SSH servers. A server | the SSH client to authenticate SSH servers. A server | |||
is authenticated if its certificate has a valid chain | is authenticated if its certificate has a valid chain | |||
of trust to a configured CA certificate."; | of trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that the EE certificates have been configured. | "Indicates that the EE certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A set of end-entity certificates used by the SSH client | "A set of end-entity (EE) certificates used by the SSH | |||
to authenticate SSH servers. A server is authenticated | client to authenticate SSH servers. A server is | |||
if its certificate is an exact match to a configured | authenticated if its certificate is an exact match to a | |||
end-entity certificate."; | configured end-entity certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
} // container server-authentication | } // container server-authentication | |||
container transport-params { | container transport-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "sshcmn:transport-params"; | if-feature "sshcmn:transport-params"; | |||
description | description | |||
"Configurable parameters of the SSH transport layer."; | "Configurable parameters of the SSH transport layer."; | |||
uses sshcmn:transport-params-grouping; | uses sshcmn:transport-params-grouping; | |||
skipping to change at page 38, line 4 ¶ | skipping to change at line 1555 ¶ | |||
} | } | |||
} // container server-authentication | } // container server-authentication | |||
container transport-params { | container transport-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "sshcmn:transport-params"; | if-feature "sshcmn:transport-params"; | |||
description | description | |||
"Configurable parameters of the SSH transport layer."; | "Configurable parameters of the SSH transport layer."; | |||
uses sshcmn:transport-params-grouping; | uses sshcmn:transport-params-grouping; | |||
} // container transport-parameters | } // container transport-parameters | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "ssh-client-keepalives"; | if-feature "ssh-client-keepalives"; | |||
presence | presence | |||
"Indicates that the SSH client proactively tests the | "Indicates that the SSH client proactively tests the | |||
aliveness of the remote SSH server."; | aliveness of the remote SSH server."; | |||
description | description | |||
"Configures the keep-alive policy, to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the SSH server. An unresponsive SSH | the aliveness of the SSH server. An unresponsive SSH | |||
server is dropped after approximately max-wait * | server is dropped after approximately max-wait * | |||
max-attempts seconds. Per Section 4 of RFC 4254, | max-attempts seconds. Per Section 4 of RFC 4254, | |||
the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST | the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST | |||
message with a purposely nonexistent 'request name' | message with a purposely nonexistent 'request name' | |||
value (e.g., keepalive@ietf.org) and the 'want reply' | value (e.g., keepalive@example.com) and the 'want reply' | |||
value set to '1'."; | value set to '1'."; | |||
reference | reference | |||
"RFC 4254: The Secure Shell (SSH) Connection Protocol"; | "RFC 4254: The Secure Shell (SSH) Connection Protocol"; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which if | "Sets the amount of time in seconds after which an | |||
no data has been received from the SSH server, a | SSH-level message will be sent to test the aliveness | |||
SSH-level message will be sent to test the | of the SSH server if no data has been received from the | |||
aliveness of the SSH server."; | SSH server."; | |||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the SSH server before assuming the SSH server is | the SSH server before assuming the SSH server is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} // container keepalives | } // container keepalives | |||
} // grouping ssh-client-grouping | } // grouping ssh-client-grouping | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
4. The "ietf-ssh-server" Module | 4. The "ietf-ssh-server" Module | |||
This section defines a YANG 1.1 module called "ietf-ssh-server". A | This section defines a YANG 1.1 module called "ietf-ssh-server". A | |||
high-level overview of the module is provided in Section 4.1. | high-level overview of the module is provided in Section 4.1. | |||
Examples illustrating the module's use are provided in Examples | Examples illustrating the module's use are provided in Section 4.2 | |||
(Section 4.2). The YANG module itself is defined in Section 4.3. | ("Example Usage"). The YANG module itself is defined in Section 4.3. | |||
4.1. Data Model Overview | 4.1. Data Model Overview | |||
This section provides an overview of the "ietf-ssh-server" module in | This section provides an overview of the "ietf-ssh-server" module in | |||
terms of its features and groupings. | terms of its features and groupings. | |||
4.1.1. Features | 4.1.1. Features | |||
The following diagram lists all the "feature" statements defined in | The following diagram lists all the "feature" statements defined in | |||
the "ietf-ssh-server" module: | the "ietf-ssh-server" module: | |||
skipping to change at page 40, line 10 ¶ | skipping to change at line 1649 ¶ | |||
4.1.2.1. The "ssh-server-grouping" Grouping | 4.1.2.1. The "ssh-server-grouping" Grouping | |||
The following tree diagram [RFC8340] illustrates the "ssh-server- | The following tree diagram [RFC8340] illustrates the "ssh-server- | |||
grouping" grouping: | grouping" grouping: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
grouping ssh-server-grouping: | grouping ssh-server-grouping: | |||
+-- server-identity | +-- server-identity | |||
| +-- host-key* [name] | | +-- host-key* [name] | |||
| +-- name? string | | +-- name string | |||
| +-- (host-key-type) | | +-- (host-key-type) | |||
| +--:(public-key) | | +--:(public-key) | |||
| | +-- public-key | | | +-- public-key | |||
| | +---u ks:inline-or-keystore-asymmetric-key-groupi\ | | | +---u ks:inline-or-keystore-asymmetric-key-groupi\ | |||
ng | ng | |||
| +--:(certificate) | | +--:(certificate) | |||
| +-- certificate {sshcmn:ssh-x509-certs}? | | +-- certificate {sshcmn:ssh-x509-certs}? | |||
| +---u ks:inline-or-keystore-end-entity-cert-with-\ | | +---u ks:inline-or-keystore-end-entity-cert-with-\ | |||
key-grouping | key-grouping | |||
+-- client-authentication | +-- client-authentication | |||
| +-- users {local-users-supported}? | | +-- users {local-users-supported}? | |||
| | +-- user* [name] | | | +-- user* [name] | |||
| | +-- name? string | | | +-- name string | |||
| | +-- public-keys! {local-user-auth-publickey}? | | | +-- public-keys! {local-user-auth-publickey}? | |||
| | | +---u ts:inline-or-truststore-public-keys-grouping | | | | +---u ts:inline-or-truststore-public-keys-grouping | |||
| | +-- password | | | +-- password | |||
| | | +-- hashed-password? ianach:crypt-hash | | | | +-- hashed-password? ianach:crypt-hash | |||
| | | | {local-user-auth-password}? | | | | | {local-user-auth-password}? | |||
| | | +--ro last-modified? yang:date-and-time | | | | +--ro last-modified? yang:date-and-time | |||
| | +-- hostbased! {local-user-auth-hostbased}? | | | +-- hostbased! {local-user-auth-hostbased}? | |||
| | | +---u ts:inline-or-truststore-public-keys-grouping | | | | +---u ts:inline-or-truststore-public-keys-grouping | |||
| | +-- none? empty {local-user-auth-none}? | | | +-- none? empty {local-user-auth-none}? | |||
| +-- ca-certs! {sshcmn:ssh-x509-certs}? | | +-- ca-certs! {sshcmn:ssh-x509-certs}? | |||
skipping to change at page 41, line 13 ¶ | skipping to change at line 1700 ¶ | |||
"feature" statement. | "feature" statement. | |||
* The "transport-params" node, which must be enabled by a feature, | * The "transport-params" node, which must be enabled by a feature, | |||
configures parameters for the SSH sessions established by this | configures parameters for the SSH sessions established by this | |||
configuration. | configuration. | |||
* The "keepalives" node, which must be enabled by a feature, | * The "keepalives" node, which must be enabled by a feature, | |||
configures a "presence" container for testing the aliveness of the | configures a "presence" container for testing the aliveness of the | |||
SSH client. The aliveness-test occurs at the SSH protocol layer. | SSH client. The aliveness-test occurs at the SSH protocol layer. | |||
* For the referenced grouping statement(s): | * For the referenced grouping statements: | |||
- The "inline-or-keystore-asymmetric-key-grouping" grouping is | - The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in Section 2.1.3.4 of [I-D.ietf-netconf-keystore]. | discussed in Section 2.1.3.4 of [RFC9642]. | |||
- The "inline-or-keystore-end-entity-cert-with-key-grouping" | - The "inline-or-keystore-end-entity-cert-with-key-grouping" | |||
grouping is discussed in Section 2.1.3.6 of | grouping is discussed in Section 2.1.3.6 of [RFC9642]. | |||
[I-D.ietf-netconf-keystore]. | ||||
- The "inline-or-truststore-public-keys-grouping" grouping is | - The "inline-or-truststore-public-keys-grouping" grouping is | |||
discussed in Section 2.1.3.4 of | discussed in Section 2.1.3.4 of [RFC9641]. | |||
[I-D.ietf-netconf-trust-anchors]. | ||||
- The "inline-or-truststore-certs-grouping" grouping is discussed | - The "inline-or-truststore-certs-grouping" grouping is discussed | |||
in Section 2.1.3.3 of [I-D.ietf-netconf-trust-anchors]. | in Section 2.1.3.3 of [RFC9641]. | |||
- The "transport-params-grouping" grouping is discussed in | - The "transport-params-grouping" grouping is discussed in | |||
Section 2.1.2.1 in this document. | Section 2.1.2.1 in this document. | |||
4.1.3. Protocol-accessible Nodes | 4.1.3. Protocol-Accessible Nodes | |||
The "ietf-ssh-server" module defines only "grouping" statements that | The "ietf-ssh-server" module defines only "grouping" statements that | |||
are used by other modules to instantiate protocol-accessible nodes. | are used by other modules to instantiate protocol-accessible nodes. | |||
Thus this module, when implemented, does not itself define any | Thus, this module, when implemented, does not itself define any | |||
protocol-accessible nodes. | protocol-accessible nodes. | |||
4.2. Example Usage | 4.2. Example Usage | |||
This section presents two examples showing the "ssh-server-grouping" | This section presents two examples showing the "ssh-server-grouping" | |||
grouping populated with some data. These examples are effectively | grouping populated with some data. These examples are effectively | |||
the same except the first configures the server identity using a | the same, except the first configures the server identity using an | |||
inlined key while the second uses a key configured in a keystore. | inlined key, while the second uses a key configured in a keystore. | |||
Both examples are consistent with the examples presented in | Both examples are consistent with the examples presented in | |||
Section 2.2.1 of [I-D.ietf-netconf-trust-anchors] and Section 2.2.1 | Section 2.2.1 of [RFC9641] and Section 2.2.1 of [RFC9642]. | |||
of [I-D.ietf-netconf-keystore]. | ||||
The following configuration example uses inline-definitions for the | The following configuration example uses inline-definitions for the | |||
server identity and client authentication: | server identity and client authentication: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-server | <ssh-server | |||
skipping to change at page 43, line 51 ¶ | skipping to change at line 1831 ¶ | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-server> | </ssh-server> | |||
The following configuration example uses central-keystore-references | The following configuration example uses central-keystore-references | |||
for the server identity and central-truststore-references for client | for the server identity and central-truststore-references for client | |||
authentication: from the keystore: | authentication from the keystore: | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-server | <ssh-server | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-server"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-server"> | |||
<!-- the host-key this SSH server will present --> | <!-- the host-key this SSH server will present --> | |||
skipping to change at page 45, line 4 ¶ | skipping to change at line 1881 ¶ | |||
ion A</central-truststore-reference> | ion A</central-truststore-reference> | |||
</public-keys> | </public-keys> | |||
</user> | </user> | |||
</users> | </users> | |||
<ca-certs> | <ca-certs> | |||
<central-truststore-reference>trusted-client-ca-certs</central\ | <central-truststore-reference>trusted-client-ca-certs</central\ | |||
-truststore-reference> | -truststore-reference> | |||
</ca-certs> | </ca-certs> | |||
<ee-certs> | <ee-certs> | |||
<central-truststore-reference>trusted-client-ee-certs</central\ | <central-truststore-reference>trusted-client-ee-certs</central\ | |||
-truststore-reference> | -truststore-reference> | |||
</ee-certs> | </ee-certs> | |||
</client-authentication> | </client-authentication> | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-server> | </ssh-server> | |||
4.3. YANG Module | 4.3. YANG Module | |||
This YANG module has references to [RFC4251], [RFC4252], [RFC4253], | This YANG module has normative references to [RFC4251], [RFC4252], | |||
[RFC4254], [RFC7317], [RFC8341], [I-D.ietf-netconf-crypto-types], | [RFC4253], [RFC4254], [RFC6991], [RFC7317], [RFC8341], [RFC9640], | |||
[I-D.ietf-netconf-trust-anchors], and [I-D.ietf-netconf-keystore]. | [RFC9641], and [RFC9642]. | |||
<CODE BEGINS> file "ietf-ssh-server@2024-03-16.yang" | <CODE BEGINS> file "ietf-ssh-server@2024-03-16.yang" | |||
module ietf-ssh-server { | module ietf-ssh-server { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; | |||
prefix sshs; | prefix sshs; | |||
import ietf-yang-types { | import ietf-yang-types { | |||
prefix yang; | prefix yang; | |||
reference | reference | |||
"RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||
} | } | |||
skipping to change at page 45, line 50 ¶ | skipping to change at line 1925 ¶ | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-ssh-common { | import ietf-ssh-common { | |||
prefix sshcmn; | prefix sshcmn; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG Web: https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
WG List: NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | |||
description | description | |||
"This module defines a reusable grouping for SSH servers that | "This module defines a reusable grouping for SSH servers that | |||
can be used as a basis for specific SSH server instances. | can be used as a basis for specific SSH server instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC EEEE | This version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Features | // Features | |||
feature ssh-server-keepalives { | feature ssh-server-keepalives { | |||
description | description | |||
"Per socket SSH keepalive parameters are configurable for | "SSH keepalive parameters are configurable for | |||
SSH servers on the server implementing this feature."; | SSH servers on the server implementing this feature."; | |||
} | } | |||
feature local-users-supported { | feature local-users-supported { | |||
description | description | |||
"Indicates that the configuration for users can be | "Indicates that the configuration for users can be | |||
configured herein, as opposed to in an application | configured herein, as opposed to in an application- | |||
specific location."; | specific location."; | |||
} | } | |||
feature local-user-auth-publickey { | feature local-user-auth-publickey { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'publickey' authentication type, | "Indicates that the 'publickey' authentication type, | |||
per RFC 4252, is supported for locally-defined users. | per RFC 4252, is supported for locally defined users. | |||
The 'publickey' authentication type is required by | The 'publickey' authentication type is required by | |||
RFC 4252, but common implementations allow it to | RFC 4252, but common implementations allow it to | |||
be disabled."; | be disabled."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
feature local-user-auth-password { | feature local-user-auth-password { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'password' authentication type, | "Indicates that the 'password' authentication type, | |||
per RFC 4252, is supported for locally-defined users."; | per RFC 4252, is supported for locally defined users."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
feature local-user-auth-hostbased { | feature local-user-auth-hostbased { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'hostbased' authentication type, | "Indicates that the 'hostbased' authentication type, | |||
per RFC 4252, is supported for locally-defined users."; | per RFC 4252, is supported for locally defined users."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
feature local-user-auth-none { | feature local-user-auth-none { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'none' authentication type, per | "Indicates that the 'none' authentication type, per | |||
RFC 4252, is supported. It is NOT RECOMMENDED to | RFC 4252, is supported. It is NOT RECOMMENDED to | |||
enable this feature."; | enable this feature."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping ssh-server-grouping { | grouping ssh-server-grouping { | |||
description | description | |||
"A reusable grouping for configuring a SSH server without | "A reusable grouping for configuring an SSH server without | |||
any consideration for how underlying TCP sessions are | any consideration for how underlying TCP sessions are | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a nesting of 'uses' statements will | node names such that a nesting of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'ssh-server-parameters'). This model purposely does | 'ssh-server-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container server-identity { | container server-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"The list of host keys the SSH server will present when | "The list of host keys the SSH server will present when | |||
establishing a SSH connection."; | establishing an SSH connection."; | |||
list host-key { | list host-key { | |||
key "name"; | key "name"; | |||
min-elements 1; | min-elements 1; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"An ordered list of host keys (see RFC 4251) the SSH | "An ordered list of host keys (see RFC 4251) the SSH | |||
server will use to construct its ordered list of | server will use to construct its ordered list of | |||
algorithms, when sending its SSH_MSG_KEXINIT message, | algorithms when sending its SSH_MSG_KEXINIT message, | |||
as defined in Section 7.1 of RFC 4253."; | as defined in Section 7.1 of RFC 4253."; | |||
reference | reference | |||
"RFC 4251: The Secure Shell (SSH) Protocol Architecture | "RFC 4251: The Secure Shell (SSH) Protocol Architecture | |||
RFC 4253: The Secure Shell (SSH) Transport Layer | RFC 4253: The Secure Shell (SSH) Transport Layer | |||
Protocol"; | Protocol"; | |||
leaf name { | leaf name { | |||
type string; | type string; | |||
description | description | |||
"An arbitrary name for this host key"; | "An arbitrary name for this host key."; | |||
} | } | |||
choice host-key-type { | choice host-key-type { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"The type of host key being specified"; | "The type of host key being specified."; | |||
container public-key { | container public-key { | |||
description | description | |||
"A locally-defined or referenced asymmetric key pair | "A locally defined or referenced asymmetric key pair | |||
to be used for the SSH server's host key."; | to be used for the SSH server's host key."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:ssh-public-key-format")'; | + '(public-key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-' | + 'derived-from-or-self(deref(.)/../ks:public-' | |||
+ 'key-format, "ct:ssh-public-key-format")'; | + 'key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
container certificate { | container certificate { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
description | description | |||
"A locally-defined or referenced end-entity | "A locally defined or referenced end-entity | |||
certificate to be used for the SSH server's | certificate to be used for the SSH server's | |||
host key."; | host key."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses | uses | |||
ks:inline-or-keystore-end-entity-cert-with-key-grouping{ | ks:inline-or-keystore-end-entity-cert-with-key-grouping{ | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:subject-public-key-' | + '(public-key-format, "ct:subject-public-key-' | |||
+ 'info-format")'; | + 'info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
skipping to change at page 50, line 27 ¶ | skipping to change at line 2143 ¶ | |||
} | } | |||
} // container server-identity | } // container server-identity | |||
container client-authentication { | container client-authentication { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"Specifies how the SSH server can be configured to | "Specifies how the SSH server can be configured to | |||
authenticate SSH clients. See RFC 4252 for a general | authenticate SSH clients. See RFC 4252 for a general | |||
discussion about SSH authentication."; | discussion about SSH authentication."; | |||
reference | reference | |||
"RFC 4252: The Secure Shell (SSH) Transport Layer"; | "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; | |||
container users { | container users { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"A list of locally configured users."; | "A list of locally configured users."; | |||
list user { | list user { | |||
key "name"; | key "name"; | |||
description | description | |||
"A locally configured user. | "A locally configured user. | |||
The server SHOULD derive the list of authentication | The server SHOULD derive the list of authentication | |||
'method names' returned to the SSH client from the | 'method names' returned to the SSH client from the | |||
descendant nodes configured herein, per Sections | descendant nodes configured herein, per Sections | |||
5.1 and 5.2 in RFC 4252. | 5.1 and 5.2 of RFC 4252. | |||
The authentication methods are unordered. Clients | The authentication methods are unordered. Clients | |||
must authenticate to all configured methods. | must authenticate to all configured methods. | |||
Whenever a choice amongst methods arises, | Whenever a choice amongst methods arises, | |||
implementations SHOULD use a default ordering | implementations SHOULD use a default ordering | |||
that prioritizes automation over human-interaction."; | that prioritizes automation over human interaction."; | |||
leaf name { | leaf name { | |||
type string; | type string; | |||
description | description | |||
"The 'user name' for the SSH client, as defined in | "The 'username' for the SSH client, as defined in | |||
the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; | the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; | |||
reference | reference | |||
"RFC 4253: The Secure Shell (SSH) Transport Layer | "RFC 4253: The Secure Shell (SSH) Transport Layer | |||
Protocol"; | Protocol"; | |||
} | } | |||
container public-keys { | container public-keys { | |||
if-feature "local-user-auth-publickey"; | if-feature "local-user-auth-publickey"; | |||
presence | presence | |||
"Indicates that public keys have been configured. | "Indicates that public keys have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be | nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A set of SSH public keys may be used by the SSH | "A set of SSH public keys may be used by the SSH | |||
server to authenticate this user. A user is | server to authenticate this user. A user is | |||
authenticated if its public key is an exact | authenticated if its public key is an exact | |||
match to a configured public key."; | match to a configured public key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:ssh-public-key-format")'; | + ' "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:ssh-' | + 'format[not(derived-from-or-self(., "ct:ssh-' | |||
skipping to change at page 52, line 4 ¶ | skipping to change at line 2216 ¶ | |||
if-feature "local-user-auth-password"; | if-feature "local-user-auth-password"; | |||
type ianach:crypt-hash; | type ianach:crypt-hash; | |||
description | description | |||
"The password for this user."; | "The password for this user."; | |||
} | } | |||
leaf last-modified { | leaf last-modified { | |||
type yang:date-and-time; | type yang:date-and-time; | |||
config false; | config false; | |||
description | description | |||
"Identifies when the password was last set."; | "Identifies when the password was last set."; | |||
} | } | |||
} | } | |||
container hostbased { | container hostbased { | |||
if-feature "local-user-auth-hostbased"; | if-feature "local-user-auth-hostbased"; | |||
presence | presence | |||
"Indicates that hostbased [RFC4252] keys have been | "Indicates that host-based (RFC 4252) keys have been | |||
configured. This statement is present so the | configured. This statement is present so the | |||
mandatory descendant nodes do not imply that this | mandatory descendant nodes do not imply that this | |||
node must be configured."; | node must be configured."; | |||
description | description | |||
"A set of SSH host keys used by the SSH server to | "A set of SSH host keys used by the SSH server to | |||
authenticate this user's host. A user's host is | authenticate this user's host. A user's host is | |||
authenticated if its host key is an exact match | authenticated if its host key is an exact match | |||
to a configured host key."; | to a configured host key."; | |||
reference | reference | |||
"RFC 4252: The Secure Shell (SSH) Transport Layer | "RFC 4252: The Secure Shell (SSH) Authentication | |||
RFC BBBB: A YANG Data Model for a Truststore"; | Protocol | |||
RFC 9641: A YANG Data Model for a Truststore"; | ||||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:ssh-public-key-format")'; | + ' "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:ssh-' | + 'format[not(derived-from-or-self(., "ct:ssh-' | |||
skipping to change at page 52, line 44 ¶ | skipping to change at line 2256 ¶ | |||
} | } | |||
} | } | |||
leaf none { | leaf none { | |||
if-feature "local-user-auth-none"; | if-feature "local-user-auth-none"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the 'none' method is configured | "Indicates that the 'none' method is configured | |||
for this user."; | for this user."; | |||
reference | reference | |||
"RFC 4252: The Secure Shell (SSH) Authentication | "RFC 4252: The Secure Shell (SSH) Authentication | |||
Protocol."; | Protocol"; | |||
} | } | |||
} | } | |||
} // users | } // users | |||
container ca-certs { | container ca-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that CA certificates have been configured. | "Indicates that CA certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply this node must be configured."; | nodes do not imply this node must be configured."; | |||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of Certification Authority (CA) certificates used by | |||
the SSH server to authenticate SSH client certificates. | the SSH server to authenticate SSH client certificates. | |||
A client certificate is authenticated if it has a valid | A client certificate is authenticated if it has a valid | |||
chain of trust to a configured CA certificate."; | chain of trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that EE certificates have been configured. | "Indicates that EE certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply this node must be configured."; | nodes do not imply this node must be configured."; | |||
description | description | |||
"A set of client certificates (i.e., end entity | "A set of client certificates (i.e., end-entity | |||
certificates) used by the SSH server to authenticate | certificates) used by the SSH server to authenticate | |||
the certificates presented by SSH clients. A client | the certificates presented by SSH clients. A client | |||
certificate is authenticated if it is an exact match | certificate is authenticated if it is an exact match | |||
to a configured end-entity certificate."; | to a configured end-entity certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
} // container client-authentication | } // container client-authentication | |||
container transport-params { | container transport-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "sshcmn:transport-params"; | if-feature "sshcmn:transport-params"; | |||
description | description | |||
"Configurable parameters of the SSH transport layer."; | "Configurable parameters of the SSH transport layer."; | |||
uses sshcmn:transport-params-grouping; | uses sshcmn:transport-params-grouping; | |||
} // container transport-params | } // container transport-params | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "ssh-server-keepalives"; | if-feature "ssh-server-keepalives"; | |||
presence | presence | |||
"Indicates that the SSH server proactively tests the | "Indicates that the SSH server proactively tests the | |||
aliveness of the remote SSH client."; | aliveness of the remote SSH client."; | |||
description | description | |||
"Configures the keep-alive policy, to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the SSH client. An unresponsive SSH | the aliveness of the SSH client. An unresponsive SSH | |||
client is dropped after approximately max-wait * | client is dropped after approximately max-wait * | |||
max-attempts seconds. Per Section 4 of RFC 4254, | max-attempts seconds. Per Section 4 of RFC 4254, | |||
the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST | the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST | |||
message with a purposely nonexistent 'request name' | message with a purposely nonexistent 'request name' | |||
value (e.g., keepalive@ietf.org) and the 'want reply' | value (e.g., keepalive@example.com) and the 'want reply' | |||
value set to '1'."; | value set to '1'."; | |||
reference | reference | |||
"RFC 4254: The Secure Shell (SSH) Connection Protocol"; | "RFC 4254: The Secure Shell (SSH) Connection Protocol"; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which | "Sets the amount of time in seconds after which | |||
if no data has been received from the SSH client, | an SSH-level message will be sent to test the | |||
a SSH-level message will be sent to test the | aliveness of the SSH client if no data has been | |||
aliveness of the SSH client."; | received from the SSH client."; | |||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the SSH client before assuming the SSH client is | the SSH client before assuming the SSH client is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} | } | |||
} // grouping ssh-server-grouping | } // grouping ssh-server-grouping | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
5. Security Considerations | 5. Security Considerations | |||
The three IETF YANG modules in this document define groupings and | The three IETF YANG modules in this document define groupings and | |||
will not be deployed as standalone modules. Their security | will not be deployed as standalone modules. Their security | |||
implications may be context dependent based on their use in other | implications may be context-dependent based on their use in other | |||
modules. The designers of modules which import these grouping must | modules. The designers of modules that import these groupings must | |||
conduct their own analysis of the security considerations. | conduct their own analysis of the security considerations. | |||
5.1. Considerations for the "iana-ssh-key-exchange-algs" Module | 5.1. Considerations for the "iana-ssh-key-exchange-algs" Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "iana-ssh-key-exchange-algs" YANG module defines a data model | The "iana-ssh-key-exchange-algs" YANG module defines a data model | |||
that is designed to be accessed via YANG based management protocols, | that is designed to be accessed via YANG-based management protocols, | |||
such as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these | such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols | |||
protocols have mandatory-to-implement secure transport layers (e.g., | have mandatory-to-implement secure transport layers (e.g., Secure | |||
SSH, TLS) with mutual authentication. | Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and | |||
mandatory-to-implement mutual authentication | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
This YANG module defines YANG enumerations, for a public IANA- | This YANG module defines YANG enumerations for a public IANA- | |||
maintained registry. | maintained registry. | |||
YANG enumerations are not security-sensitive, as they are statically | YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module. IANA MAY deprecate | defined in the publicly accessible YANG module. IANA MAY deprecate | |||
and/or obsolete enumerations over time as needed to address security | and/or obsolete enumerations over time as needed to address security | |||
issues found in the algorithms. | issues found in the algorithms. | |||
This module does not define any writable-nodes, RPCs, actions, or | This module does not define any writable nodes, RPCs, actions, or | |||
notifications, and thus the security consideration for such is not | notifications, and thus, the security considerations for such are not | |||
provided here. | provided here. | |||
5.2. Considerations for the "iana-ssh-encryption-algs" Module | 5.2. Considerations for the "iana-ssh-encryption-algs" Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "iana-ssh-encryption-algs" YANG module defines a data model that | The "iana-ssh-encryption-algs" YANG module defines a data model that | |||
is designed to be accessed via YANG based management protocols, such | is designed to be accessed via YANG-based management protocols, such | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
This YANG module defines YANG enumerations, for a public IANA- | This YANG module defines YANG enumerations for a public IANA- | |||
maintained registry. | maintained registry. | |||
YANG enumerations are not security-sensitive, as they are statically | YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module. | defined in the publicly accessible YANG module. | |||
This module does not define any writable-nodes, RPCs, actions, or | This module does not define any writable nodes, RPCs, actions, or | |||
notifications, and thus the security consideration for such is not | notifications, and thus, the security considerations for such are not | |||
provided here. | provided here. | |||
5.3. Considerations for the "iana-ssh-mac-algs" Module | 5.3. Considerations for the "iana-ssh-mac-algs" Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "iana-ssh-mac-algs" YANG module defines a data model that is | The "iana-ssh-mac-algs" YANG module defines a data model that is | |||
designed to be accessed via YANG based management protocols, such as | designed to be accessed via YANG-based management protocols, such as | |||
NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
This YANG module defines YANG enumerations, for a public IANA- | This YANG module defines YANG enumerations for a public IANA- | |||
maintained registry. | maintained registry. | |||
YANG enumerations are not security-sensitive, as they are statically | YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module. | defined in the publicly accessible YANG module. | |||
This module does not define any writable-nodes, RPCs, actions, or | This module does not define any writable nodes, RPCs, actions, or | |||
notifications, and thus the security consideration for such is not | notifications, and thus, the security considerations for such are not | |||
provided here. | provided here. | |||
5.4. Considerations for the "iana-ssh-public-key-algs" Module | 5.4. Considerations for the "iana-ssh-public-key-algs" Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "iana-ssh-public-key-algs" YANG module defines a data model that | The "iana-ssh-public-key-algs" YANG module defines a data model that | |||
is designed to be accessed via YANG based management protocols, such | is designed to be accessed via YANG-based management protocols, such | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
This YANG module defines YANG enumerations, for a public IANA- | This YANG module defines YANG enumerations for a public IANA- | |||
maintained registry. | maintained registry. | |||
YANG enumerations are not security-sensitive, as they are statically | YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module. | defined in the publicly accessible YANG module. | |||
This module does not define any writable-nodes, RPCs, actions, or | This module does not define any writable nodes, RPCs, actions, or | |||
notifications, and thus the security consideration for such is not | notifications, and thus, the security considerations for such are not | |||
provided here. | provided here. | |||
5.5. Considerations for the "ietf-ssh-common" YANG Module | 5.5. Considerations for the "ietf-ssh-common" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "ietf-ssh-common" YANG module defines "grouping" statements that | The "ietf-ssh-common" YANG module defines a data model that is | |||
are designed to be accessed via YANG based management protocols, such | designed to be accessed via YANG-based management protocols, such as | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the security | |||
Considerations for dependent YANG modules for information as to which | considerations for dependent YANG modules for information as to which | |||
nodes may be considered sensitive or vulnerable in network | nodes may be considered sensitive or vulnerable in network | |||
environments. | environments. | |||
None of the readable data nodes defined in this YANG module are | None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. The NACM | considered sensitive or vulnerable in network environments. The NACM | |||
"default-deny-all" extension has not been set for any data nodes | "default-deny-all" extension has not been set for any data nodes | |||
defined in this module. | defined in this module. | |||
None of the writable data nodes defined in this YANG module are | None of the writable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. The NACM | considered sensitive or vulnerable in network environments. The NACM | |||
"default-deny-write" extension has not been set for any data nodes | "default-deny-write" extension has not been set for any data nodes | |||
defined in this module. | defined in this module. | |||
This module defines the RPC "generate-asymmetric-key-pair" that may, | This module defines the "generate-asymmetric-key-pair" RPC, which | |||
if the "ct:cleartext-private-keys" feature is enabled, and the client | may, if the "ct:cleartext-private-keys" feature is enabled and the | |||
requests it, return the private clear in cleartext form. It is NOT | client requests it, return the private clear in cleartext form. It | |||
RECOMMENDED for private keys to pass the server's security perimeter. | is NOT RECOMMENDED for private keys to pass the server's security | |||
perimeter. | ||||
This module does not define any actions or notifications, and thus | This module does not define any actions or notifications, and thus, | |||
the security consideration for such is not provided here. | the security considerations for such are not provided here. | |||
5.6. Considerations for the "ietf-ssh-client" YANG Module | 5.6. Considerations for the "ietf-ssh-client" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "ietf-ssh-client" YANG module defines "grouping" statements that | The "ietf-ssh-client" YANG module defines "grouping" statements that | |||
are designed to be accessed via YANG based management protocols, such | are designed to be accessed via YANG-based management protocols, such | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the security | |||
Considerations for dependent YANG modules for information as to which | considerations for dependent YANG modules for information as to which | |||
nodes may be considered sensitive or vulnerable in network | nodes may be considered sensitive or vulnerable in network | |||
environments. | environments. | |||
One readable data node defined in this YANG module may be considered | One readable data node defined in this YANG module may be considered | |||
sensitive or vulnerable in some network environments. This node is | sensitive or vulnerable in some network environments. This node is | |||
as follows: | as follows: | |||
* The "client-identity/password" node: | * The "client-identity/password" node: | |||
The cleartext "password" node defined in the "ssh-client- | The cleartext "password" node defined in the "ssh-client- | |||
skipping to change at page 58, line 42 ¶ | skipping to change at line 2550 ¶ | |||
all" has been applied to it. | all" has been applied to it. | |||
All the writable data nodes defined by this module may be considered | All the writable data nodes defined by this module may be considered | |||
sensitive or vulnerable in some network environments. For instance, | sensitive or vulnerable in some network environments. For instance, | |||
any modification to a key or reference to a key may dramatically | any modification to a key or reference to a key may dramatically | |||
alter the implemented security policy. For this reason, the NACM | alter the implemented security policy. For this reason, the NACM | |||
extension "default-deny-write" has been set for all data nodes | extension "default-deny-write" has been set for all data nodes | |||
defined in this module. | defined in this module. | |||
This module does not define any RPCs, actions, or notifications, and | This module does not define any RPCs, actions, or notifications, and | |||
thus the security consideration for such is not provided here. | thus, the security considerations for such are not provided here. | |||
5.7. Considerations for the "ietf-ssh-server" YANG Module | 5.7. Considerations for the "ietf-ssh-server" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The "ietf-ssh-server" YANG module defines "grouping" statements that | The "ietf-ssh-server" YANG module defines "grouping" statements that | |||
are designed to be accessed via YANG based management protocols, such | are designed to be accessed via YANG-based management protocols, such | |||
as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have | |||
have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | mandatory-to-implement secure transport layers (e.g., Secure Shell | |||
with mutual authentication. | (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | |||
implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the security | |||
Considerations for dependent YANG modules for information as to which | considerations for dependent YANG modules for information as to which | |||
nodes may be considered sensitive or vulnerable in network | nodes may be considered sensitive or vulnerable in network | |||
environments. | environments. | |||
None of the readable data nodes defined in this YANG module are | None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. The NACM | considered sensitive or vulnerable in network environments. The NACM | |||
"default-deny-all" extension has not been set for any data nodes | "default-deny-all" extension has not been set for any data nodes | |||
defined in this module. | defined in this module. | |||
All the writable data nodes defined by this module may be considered | All the writable data nodes defined by this module may be considered | |||
sensitive or vulnerable in some network environments. For instance, | sensitive or vulnerable in some network environments. For instance, | |||
the addition or removal of references to keys, certificates, trusted | the addition or removal of references to keys, certificates, trusted | |||
anchors, etc., or even the modification of transport or keepalive | anchors, etc., or even the modification of transport or keepalive | |||
parameters can dramatically alter the implemented security policy. | parameters can dramatically alter the implemented security policy. | |||
For this reason, the NACM extension "default-deny-write" has been set | For this reason, the NACM extension "default-deny-write" has been set | |||
for all data nodes defined in this module. | for all data nodes defined in this module. | |||
This module does not define any RPCs, actions, or notifications, and | This module does not define any RPCs, actions, or notifications, and | |||
thus the security consideration for such is not provided here. | thus, the security considerations for such are not provided here. | |||
6. IANA Considerations | 6. IANA Considerations | |||
6.1. The "IETF XML" Registry | 6.1. The IETF XML Registry | |||
This document registers seven URIs in the "ns" subregistry of the | IANA has registered seven URIs in the "ns" registry of the "IETF XML | |||
IETF XML Registry [RFC3688]. Following the format in [RFC3688], the | Registry" [RFC3688] as follows. | |||
following registrations are requested: | ||||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs | URI: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs | URI: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs | URI: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs | URI: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:ietf-ssh-common | URI: urn:ietf:params:xml:ns:yang:ietf-ssh-common | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:ietf-ssh-client | URI: urn:ietf:params:xml:ns:yang:ietf-ssh-client | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
URI: urn:ietf:params:xml:ns:yang:ietf-ssh-server | URI: urn:ietf:params:xml:ns:yang:ietf-ssh-server | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
6.2. The "YANG Module Names" Registry | 6.2. The YANG Module Names Registry | |||
This document registers seven YANG modules in the YANG Module Names | IANA has registered seven YANG modules in the "YANG Module Names" | |||
registry [RFC6020]. Following the format in [RFC6020], the following | registry [RFC6020] as follows. | |||
registrations are requested: | ||||
name: iana-ssh-key-exchange-algs | Name: iana-ssh-key-exchange-algs | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs | Namespace: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs | |||
prefix: sshkea | Prefix: sshkea | |||
reference: RFC EEEE | Reference: RFC 9644 | |||
name: iana-ssh-encryption-algs | Name: iana-ssh-encryption-algs | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs | Namespace: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs | |||
prefix: sshea | Prefix: sshea | |||
reference: RFC EEEE | Reference: RFC 9644 | |||
name: iana-ssh-mac-algs | Name: iana-ssh-mac-algs | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs | Namespace: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs | |||
prefix: sshma | Prefix: sshma | |||
reference: RFC EEEE | Reference: RFC 9644 | |||
name: iana-ssh-public-key-algs | Name: iana-ssh-public-key-algs | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs | Namespace: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs | |||
prefix: sshpka | Prefix: sshpka | |||
reference: RFC EEEE | Reference: RFC 9644 | |||
name: ietf-ssh-common | Name: ietf-ssh-common | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-common | Namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-common | |||
prefix: sshcmn | Prefix: sshcmn | |||
reference: RFC EEEE | Reference: RFC 9644 | |||
name: ietf-ssh-client | Name: ietf-ssh-client | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-client | Namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-client | |||
prefix: sshc | Prefix: sshc | |||
reference: RFC EEEE | Reference: RFC 9644 | |||
name: ietf-ssh-server | Name: ietf-ssh-server | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-server | Namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-server | |||
prefix: sshs | Prefix: sshs | |||
reference: RFC EEEE | Reference: RFC 9644 | |||
6.3. Considerations for the "iana-ssh-encryption-algs" Module | 6.3. Considerations for the "iana-ssh-encryption-algs" Module | |||
This section follows the template defined in Section 4.30.3.1 of | This section follows the template defined in Section 4.30.3.1 of | |||
[I-D.ietf-netmod-rfc8407bis]. | [YANG-GUIDE]. | |||
This document presents a script (see Appendix A) for IANA to use to | This document presents a script (see Appendix A) for IANA to use to | |||
generate the IANA-maintained "iana-ssh-encryption-algs" YANG module. | generate the IANA-maintained "iana-ssh-encryption-algs" YANG module. | |||
The most recent version of the YANG module is available from the | The most recent version of the YANG module is available in the "YANG | |||
"YANG Parameters" registry [IANA-YANG-PARAMETERS]. | Parameters" registry group [IANA-YANG-PARAMETERS]. | |||
IANA is requested to add the following note to the registry: | IANA has added the following note to the registry: | |||
| New values must not be directly added to the "iana-ssh-encryption- | | New values must not be directly added to the "iana-ssh-encryption- | |||
| algs" YANG module. They must instead be added to the "Encryption | | algs" YANG module. They must instead be added to the "Encryption | |||
| Algorithm Names" sub-registry of the "Secure Shell (SSH) Protocol | | Algorithm Names" registry of the "Secure Shell (SSH) Protocol | |||
| Parameters" registry [IANA-ENC-ALGS]. | | Parameters" registry group [IANA-ENC-ALGS]. | |||
When a value is added to the "Encryption Algorithm Names" sub- | When a value is added to the "Encryption Algorithm Names" registry, a | |||
registry, a new "enum" statement must be added to the "iana-ssh- | new "enum" statement must be added to the "iana-ssh-encryption-algs" | |||
encryption-algs" YANG module. The "enum" statement, and sub- | YANG module. The "enum" statement, and substatements thereof, should | |||
statements thereof, should be defined as follows: | be defined as follows: | |||
enum | enum | |||
Replicates a name from the registry. | Replicates a name from the registry. | |||
value | value | |||
Contains the decimal value of the IANA-assigned value. | Contains the decimal value of the IANA-assigned value. | |||
status | status | |||
Include only if a registration has been deprecated or obsoleted. | Include only if a registration has been deprecated or obsoleted. | |||
An IANA "Note" containing the word "HISTORIC" maps to YANG status | An IANA "Note" containing the word "HISTORIC" maps to YANG status | |||
skipping to change at page 62, line 41 ¶ | skipping to change at line 2715 ¶ | |||
reference | reference | |||
Replicates the reference(s) from the registry with the title of | Replicates the reference(s) from the registry with the title of | |||
the document(s) added. | the document(s) added. | |||
Unassigned or reserved values are not present in the module. | Unassigned or reserved values are not present in the module. | |||
When the "iana-ssh-encryption-algs" YANG module is updated, a new | When the "iana-ssh-encryption-algs" YANG module is updated, a new | |||
"revision" statement with a unique revision date must be added in | "revision" statement with a unique revision date must be added in | |||
front of the existing revision statements. The "revision" must have | front of the existing revision statements. The "revision" must have | |||
a "description" statement explaining why the the update occurred, and | a "description" statement explaining why the update occurred and must | |||
must have a "reference" substatement that points to the document | have a "reference" substatement that points to the document defining | |||
defining the registry update that resulted in this change. For | the registry update that resulted in this change. For instance: | |||
instance: | ||||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
} | } | |||
IANA is requested to add the following note to the "Encryption | IANA has added the following note to the "Encryption Algorithm Names" | |||
Algorithm Names" sub-registry. | registry. | |||
| When this registry is modified, the YANG module "iana-ssh- | | When this registry is modified, the YANG module "iana-ssh- | |||
| encryption-algs" [IANA-YANG-PARAMETERS] must be updated as defined | | encryption-algs" [IANA-YANG-PARAMETERS] must be updated as defined | |||
| in RFC EEEE. | | in RFC 9644. | |||
6.4. Considerations for the "iana-ssh-mac-algs" Module | 6.4. Considerations for the "iana-ssh-mac-algs" Module | |||
This section follows the template defined in Section 4.30.3.1 of | This section follows the template defined in Section 4.30.3.1 of | |||
[I-D.ietf-netmod-rfc8407bis]. | [YANG-GUIDE]. | |||
This document presents a script (see Appendix A) for IANA to use to | This document presents a script (see Appendix A) for IANA to use to | |||
generate the IANA-maintained "iana-ssh-mac-algs" YANG module. The | generate the IANA-maintained "iana-ssh-mac-algs" YANG module. The | |||
most recent version of the YANG module is available from the "YANG | most recent version of the YANG module is available in the "YANG | |||
Parameters" registry [IANA-YANG-PARAMETERS]. | Parameters" registry group [IANA-YANG-PARAMETERS]. | |||
IANA is requested to add the following note to the registry: | IANA has added the following note to the registry: | |||
| New values must not be directly added to the "iana-ssh-mac-algs" | | New values must not be directly added to the "iana-ssh-mac-algs" | |||
| YANG module. They must instead be added to the "MAC Algorithm | | YANG module. They must instead be added to the "MAC Algorithm | |||
| Names" sub-registry of the "Secure Shell (SSH) Protocol | | Names" registry of the "Secure Shell (SSH) Protocol Parameters" | |||
| Parameters" registry [IANA-MAC-ALGS]. | | registry group [IANA-MAC-ALGS]. | |||
When a value is added to the "MAC Algorithm Names" sub-registry, a | When a value is added to the "MAC Algorithm Names" registry, a new | |||
new "enum" statement must be added to the "iana-ssh-mac-algs" YANG | "enum" statement must be added to the "iana-ssh-mac-algs" YANG | |||
module. The "enum" statement, and sub-statements thereof, should be | module. The "enum" statement, and substatements thereof, should be | |||
defined as follows: | defined as follows: | |||
enum | enum | |||
Replicates a name from the registry. | Replicates a name from the registry. | |||
value | value | |||
Contains the decimal value of the IANA-assigned value. | Contains the decimal value of the IANA-assigned value. | |||
status | status | |||
Include only if a registration has been deprecated or obsoleted. | Include only if a registration has been deprecated or obsoleted. | |||
skipping to change at page 64, line 18 ¶ | skipping to change at line 2779 ¶ | |||
reference | reference | |||
Replicates the reference(s) from the registry with the title of | Replicates the reference(s) from the registry with the title of | |||
the document(s) added. | the document(s) added. | |||
Unassigned or reserved values are not present in the module. | Unassigned or reserved values are not present in the module. | |||
When the "iana-ssh-mac-algs" YANG module is updated, a new "revision" | When the "iana-ssh-mac-algs" YANG module is updated, a new "revision" | |||
statement with a unique revision date must be added in front of the | statement with a unique revision date must be added in front of the | |||
existing revision statements. The "revision" must have a | existing revision statements. The "revision" must have a | |||
"description" statement explaining why the the update occurred, and | "description" statement explaining why the update occurred and must | |||
must have a "reference" substatement that points to the document | have a "reference" substatement that points to the document defining | |||
defining the registry update that resulted in this change. For | the registry update that resulted in this change. For instance: | |||
instance: | ||||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
} | } | |||
IANA is requested to add the following note to the "MAC Algorithm | IANA has added the following note to the "MAC Algorithm Names" | |||
Names" sub-registry. | registry. | |||
| When this registry is modified, the YANG module "iana-ssh-mac- | | When this registry is modified, the YANG module "iana-ssh-mac- | |||
| algs" [IANA-YANG-PARAMETERS] must be updated as defined in RFC | | algs" [IANA-YANG-PARAMETERS] must be updated as defined in RFC | |||
| EEEE. | | 9644. | |||
6.5. Considerations for the "iana-ssh-public-key-algs" Module | 6.5. Considerations for the "iana-ssh-public-key-algs" Module | |||
This section follows the template defined in Section 4.30.3.1 of | This section follows the template defined in Section 4.30.3.1 of | |||
[I-D.ietf-netmod-rfc8407bis]. | [YANG-GUIDE]. | |||
This document presents a script (see Appendix A) for IANA to use to | This document presents a script (see Appendix A) for IANA to use to | |||
generate the IANA-maintained "iana-ssh-public-key-algs" YANG module. | generate the IANA-maintained "iana-ssh-public-key-algs" YANG module. | |||
The most recent version of the YANG module is available from the | The most recent version of the YANG module is available in the "YANG | |||
"YANG Parameters" registry [IANA-YANG-PARAMETERS]. | Parameters" registry group [IANA-YANG-PARAMETERS]. | |||
IANA is requested to add the following note to the registry: | IANA has added the following note to the registry: | |||
| New values must not be directly added to the "iana-ssh-public-key- | | New values must not be directly added to the "iana-ssh-public-key- | |||
| algs" YANG module. They must instead be added to the "Public Key | | algs" YANG module. They must instead be added to the "Public Key | |||
| Algorithm Names" sub-registry of the "Secure Shell (SSH) Protocol | | Algorithm Names" registry of the "Secure Shell (SSH) Protocol | |||
| Parameters" registry [IANA-PUBKEY-ALGS]. | | Parameters" registry group [IANA-PUBKEY-ALGS]. | |||
When a value is added to the "Public Key Algorithm Names" sub- | When a value is added to the "Public Key Algorithm Names" registry, a | |||
registry, a new "enum" statement must be added to the "iana-ssh- | new "enum" statement must be added to the "iana-ssh-public-key-algs" | |||
public-key-algs" YANG module. The "enum" statement, and sub- | YANG module. The "enum" statement, and substatements thereof, should | |||
statements thereof, should be defined as follows: | be defined as follows: | |||
enum | enum | |||
Replicates a name from the registry. | Replicates a name from the registry. | |||
value | value | |||
Contains the decimal value of the IANA-assigned value. | Contains the decimal value of the IANA-assigned value. | |||
status | status | |||
Include only if a registration has been deprecated or obsoleted. | Include only if a registration has been deprecated or obsoleted. | |||
description | description | |||
Contains "Enumeration for the 'foo-bar' algorithm.", where "foo- | Contains "Enumeration for the 'foo-bar' algorithm.", where "foo- | |||
bar" is a placeholder for the algorithm's name (e.g., "3des-cbc"). | bar" is a placeholder for the algorithm's name (e.g., "3des-cbc"). | |||
reference | reference | |||
Replicates the reference(s) from the registry with the title of | Replicates the reference(s) from the registry with the title of | |||
the document(s) added. | the document(s) added. | |||
In the case that the algorithm name ends with "-*", the familiy of | In the case that the algorithm name ends with "-*", the family of | |||
enumerations must be added. The familiy of enum algorithm names are | enumerations must be added. The family of enum algorithm names are | |||
generated by replacing the '*' character with these strings: | generated by replacing the "*" character with these strings: | |||
"nistp256", "nistp384", "nistp521", "1.3.132.0.1", | "nistp256", "nistp384", "nistp521", "1.3.132.0.1", | |||
"1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | "1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | |||
"1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and | "1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and | |||
"1.3.132.0.38". | "1.3.132.0.38". | |||
Unassigned or reserved values are not present in the module. | Unassigned or reserved values are not present in the module. | |||
When the "iana-ssh-public-key-algs" YANG module is updated, a new | When the "iana-ssh-public-key-algs" YANG module is updated, a new | |||
"revision" statement with a unique revision date must be added in | "revision" statement with a unique revision date must be added in | |||
front of the existing revision statements. The "revision" must have | front of the existing revision statements. The "revision" must have | |||
a "description" statement explaining why the the update occurred, and | a "description" statement explaining why the update occurred and must | |||
must have a "reference" substatement that points to the document | have a "reference" substatement that points to the document defining | |||
defining the registry update that resulted in this change. For | the registry update that resulted in this change. For instance: | |||
instance: | ||||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
} | } | |||
IANA is requested to add the following note to the "Public Key | IANA has added the following note to the "Public Key Algorithm Names" | |||
Algorithm Names" sub-registry. | registry. | |||
| When this registry is modified, the YANG module "iana-ssh-public- | | When this registry is modified, the YANG module "iana-ssh-public- | |||
| key-algs" [IANA-YANG-PARAMETERS] must be updated as defined in RFC | | key-algs" [IANA-YANG-PARAMETERS] must be updated as defined in RFC | |||
| EEEE. | | 9644. | |||
6.6. Considerations for the "iana-ssh-key-exchange-algs" Module | 6.6. Considerations for the "iana-ssh-key-exchange-algs" Module | |||
This section follows the template defined in Section 4.30.3.1 of | This section follows the template defined in Section 4.30.3.1 of | |||
[I-D.ietf-netmod-rfc8407bis]. | [YANG-GUIDE]. | |||
This document presents a script (see Appendix A) for IANA to use to | This document presents a script (see Appendix A) for IANA to use to | |||
generate the IANA-maintained "iana-ssh-key-exchange-algs" YANG | generate the IANA-maintained "iana-ssh-key-exchange-algs" YANG | |||
module. The most recent version of the YANG module is available from | module. The most recent version of the YANG module is available in | |||
the "YANG Parameters" registry [IANA-YANG-PARAMETERS]. | the "YANG Parameters" registry group [IANA-YANG-PARAMETERS]. | |||
IANA is requested to add the following note to the registry: | IANA has added the following note to the registry: | |||
| New values must not be directly added to the "iana-ssh-key- | | New values must not be directly added to the "iana-ssh-key- | |||
| exchange-algs" YANG module. They must instead be added to the | | exchange-algs" YANG module. They must instead be added to the | |||
| "Key Exchange Method Names" sub-registry of the "Secure Shell | | "Key Exchange Method Names" registry of the "Secure Shell (SSH) | |||
| (SSH) Protocol Parameters" registry [IANA-KEYEX-ALGS]. | | Protocol Parameters" registry group [IANA-KEYEX-ALGS]. | |||
When a value is added to the "Key Exchange Method Names" sub- | When a value is added to the "Key Exchange Method Names" registry, a | |||
registry, a new "enum" statement must be added to the "iana-ssh-key- | new "enum" statement must be added to the "iana-ssh-key-exchange- | |||
exchange-algs" YANG module. The "enum" statement, and sub-statements | algs" YANG module. The "enum" statement, and substatements thereof, | |||
thereof, should be defined as follows: | should be defined as follows: | |||
enum | enum | |||
Replicates a name from the registry. | Replicates a name from the registry. | |||
value | value | |||
Contains the decimal value of the IANA-assigned value. | Contains the decimal value of the IANA-assigned value. | |||
status | status | |||
Include only if a registration has been deprecated or obsoleted. | Include only if a registration has been deprecated or obsoleted. | |||
An IANA "OK to Implement" containing "SHOULD NOT" maps to YANG | An IANA "OK to Implement" containing "SHOULD NOT" maps to YANG | |||
skipping to change at page 67, line 19 ¶ | skipping to change at line 2913 ¶ | |||
NOT" maps to YANG status "obsolete". | NOT" maps to YANG status "obsolete". | |||
description | description | |||
Contains "Enumeration for the 'foo-bar' algorithm.", where "foo- | Contains "Enumeration for the 'foo-bar' algorithm.", where "foo- | |||
bar" is a placeholder for the algorithm's name (e.g., "3des-cbc"). | bar" is a placeholder for the algorithm's name (e.g., "3des-cbc"). | |||
reference | reference | |||
Replicates the reference(s) from the registry with the title of | Replicates the reference(s) from the registry with the title of | |||
the document(s) added. | the document(s) added. | |||
In the case that the algorithm name ends with "-*", the familiy of | In the case that the algorithm name ends with "-*", the family of | |||
enumerations must be added. The familiy of enum algorithm names are | enumerations must be added. The family of enum algorithm names are | |||
generated by replacing the '*' character with these strings: | generated by replacing the "*" character with these strings: | |||
"nistp256", "nistp384", "nistp521", "1.3.132.0.1", | "nistp256", "nistp384", "nistp521", "1.3.132.0.1", | |||
"1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | "1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | |||
"1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and | "1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and | |||
"1.3.132.0.38". | "1.3.132.0.38". | |||
Unassigned or reserved values are not present in the module. | Unassigned or reserved values are not present in the module. | |||
When the "iana-ssh-key-exchange-algs" YANG module is updated, a new | When the "iana-ssh-key-exchange-algs" YANG module is updated, a new | |||
"revision" statement with a unique revision date must be added in | "revision" statement with a unique revision date must be added in | |||
front of the existing revision statements. The "revision" must have | front of the existing revision statements. The "revision" must have | |||
a "description" statement explaining why the the update occurred, and | a "description" statement explaining why the update occurred, and | |||
must have a "reference" substatement that points to the document | must have a "reference" substatement that points to the document | |||
defining the registry update that resulted in this change. For | defining the registry update that resulted in this change. For | |||
instance: | instance: | |||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
} | } | |||
IANA is requested to add the following note to the "Key Exchange | IANA has added the following note to the "Key Exchange Method Names" | |||
Method Names" sub-registry. | registry. | |||
| When this registry is modified, the YANG module "iana-ssh-key- | | When this registry is modified, the YANG module "iana-ssh-key- | |||
| exchange-algs" [IANA-YANG-PARAMETERS] must be updated as defined | | exchange-algs" [IANA-YANG-PARAMETERS] must be updated as defined | |||
| in RFC EEEE. | | in RFC 9644. | |||
7. References | 7. References | |||
7.1. Normative References | 7.1. Normative References | |||
[I-D.ietf-netconf-crypto-types] | ||||
Watsen, K., "YANG Data Types and Groupings for | ||||
Cryptography", Work in Progress, Internet-Draft, draft- | ||||
ietf-netconf-crypto-types-33, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
crypto-types-33>. | ||||
[I-D.ietf-netconf-keystore] | ||||
Watsen, K., "A YANG Data Model for a Keystore and Keystore | ||||
Operations", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-keystore-34, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
keystore-34>. | ||||
[I-D.ietf-netconf-trust-anchors] | ||||
Watsen, K., "A YANG Data Model for a Truststore", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-trust- | ||||
anchors-27, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
trust-anchors-27>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) | ||||
Protocol Assigned Numbers", RFC 4250, | ||||
DOI 10.17487/RFC4250, January 2006, | ||||
<https://www.rfc-editor.org/info/rfc4250>. | ||||
[RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251, | Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251, | |||
January 2006, <https://www.rfc-editor.org/info/rfc4251>. | January 2006, <https://www.rfc-editor.org/info/rfc4251>. | |||
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | |||
January 2006, <https://www.rfc-editor.org/info/rfc4252>. | January 2006, <https://www.rfc-editor.org/info/rfc4252>. | |||
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | |||
January 2006, <https://www.rfc-editor.org/info/rfc4253>. | January 2006, <https://www.rfc-editor.org/info/rfc4253>. | |||
[RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
Connection Protocol", RFC 4254, DOI 10.17487/RFC4254, | Connection Protocol", RFC 4254, DOI 10.17487/RFC4254, | |||
January 2006, <https://www.rfc-editor.org/info/rfc4254>. | January 2006, <https://www.rfc-editor.org/info/rfc4254>. | |||
[RFC4344] Bellare, M., Kohno, T., and C. Namprempre, "The Secure | ||||
Shell (SSH) Transport Layer Encryption Modes", RFC 4344, | ||||
DOI 10.17487/RFC4344, January 2006, | ||||
<https://www.rfc-editor.org/info/rfc4344>. | ||||
[RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman | ||||
Group Exchange for the Secure Shell (SSH) Transport Layer | ||||
Protocol", RFC 4419, DOI 10.17487/RFC4419, March 2006, | ||||
<https://www.rfc-editor.org/info/rfc4419>. | ||||
[RFC4432] Harris, B., "RSA Key Exchange for the Secure Shell (SSH) | ||||
Transport Layer Protocol", RFC 4432, DOI 10.17487/RFC4432, | ||||
March 2006, <https://www.rfc-editor.org/info/rfc4432>. | ||||
[RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, | ||||
"Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the Secure | ||||
Shell (SSH) Protocol", RFC 4462, DOI 10.17487/RFC4462, May | ||||
2006, <https://www.rfc-editor.org/info/rfc4462>. | ||||
[RFC5647] Igoe, K. and J. Solinas, "AES Galois Counter Mode for the | ||||
Secure Shell Transport Layer Protocol", RFC 5647, | ||||
DOI 10.17487/RFC5647, August 2009, | ||||
<https://www.rfc-editor.org/info/rfc5647>. | ||||
[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm | ||||
Integration in the Secure Shell Transport Layer", | ||||
RFC 5656, DOI 10.17487/RFC5656, December 2009, | ||||
<https://www.rfc-editor.org/info/rfc5656>. | ||||
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
<https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
[RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure | [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure | |||
Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, | Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, | |||
March 2011, <https://www.rfc-editor.org/info/rfc6187>. | March 2011, <https://www.rfc-editor.org/info/rfc6187>. | |||
[RFC6668] Bider, D. and M. Baushke, "SHA-2 Data Integrity | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
Verification for the Secure Shell (SSH) Transport Layer | and A. Bierman, Ed., "Network Configuration Protocol | |||
Protocol", RFC 6668, DOI 10.17487/RFC6668, July 2012, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
<https://www.rfc-editor.org/info/rfc6668>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | ||||
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | ||||
<https://www.rfc-editor.org/info/rfc6242>. | ||||
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | ||||
RFC 6991, DOI 10.17487/RFC6991, July 2013, | ||||
<https://www.rfc-editor.org/info/rfc6991>. | ||||
[RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for | [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for | |||
System Management", RFC 7317, DOI 10.17487/RFC7317, August | System Management", RFC 7317, DOI 10.17487/RFC7317, August | |||
2014, <https://www.rfc-editor.org/info/rfc7317>. | 2014, <https://www.rfc-editor.org/info/rfc7317>. | |||
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
<https://www.rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | ||||
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8040>. | ||||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie- | ||||
Hellman (DH) Key Exchange (KEX) Groups for Secure Shell | ||||
(SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, | ||||
<https://www.rfc-editor.org/info/rfc8268>. | ||||
[RFC8308] Bider, D., "Extension Negotiation in the Secure Shell | ||||
(SSH) Protocol", RFC 8308, DOI 10.17487/RFC8308, March | ||||
2018, <https://www.rfc-editor.org/info/rfc8308>. | ||||
[RFC8332] Bider, D., "Use of RSA Keys with SHA-256 and SHA-512 in | ||||
the Secure Shell (SSH) Protocol", RFC 8332, | ||||
DOI 10.17487/RFC8332, March 2018, | ||||
<https://www.rfc-editor.org/info/rfc8332>. | ||||
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | |||
Access Control Model", STD 91, RFC 8341, | Access Control Model", STD 91, RFC 8341, | |||
DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
[RFC8709] Harris, B. and L. Velvindron, "Ed25519 and Ed448 Public | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Key Algorithms for the Secure Shell (SSH) Protocol", | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
RFC 8709, DOI 10.17487/RFC8709, February 2020, | <https://www.rfc-editor.org/info/rfc8446>. | |||
<https://www.rfc-editor.org/info/rfc8709>. | ||||
[RFC8731] Adamantiadis, A., Josefsson, S., and M. Baushke, "Secure | [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
Shell (SSH) Key Exchange Method Using Curve25519 and | Multiplexed and Secure Transport", RFC 9000, | |||
Curve448", RFC 8731, DOI 10.17487/RFC8731, February 2020, | DOI 10.17487/RFC9000, May 2021, | |||
<https://www.rfc-editor.org/info/rfc8731>. | <https://www.rfc-editor.org/info/rfc9000>. | |||
[RFC8732] Sorce, S. and H. Kario, "Generic Security Service | [RFC9640] Watsen, K., "YANG Data Types and Groupings for | |||
Application Program Interface (GSS-API) Key Exchange with | Cryptography", RFC 9640, DOI 10.17487/RFC9640, October | |||
SHA-2", RFC 8732, DOI 10.17487/RFC8732, February 2020, | 2024, <https://www.rfc-editor.org/info/rfc9640>. | |||
<https://www.rfc-editor.org/info/rfc8732>. | ||||
[RFC8758] Velvindron, L., "Deprecating RC4 in Secure Shell (SSH)", | [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | |||
BCP 227, RFC 8758, DOI 10.17487/RFC8758, April 2020, | RFC 9641, DOI 10.17487/RFC9641, October 2024, | |||
<https://www.rfc-editor.org/info/rfc8758>. | <https://www.rfc-editor.org/info/rfc9641>. | |||
[RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | ||||
DOI 10.17487/RFC9642, October 2024, | ||||
<https://www.rfc-editor.org/info/rfc9642>. | ||||
7.2. Informative References | 7.2. Informative References | |||
[FIPS_186-6] | [FIPS_186-5] | |||
(NIST), T. N. I. F. S. A. T., "Digital Signature Standard | NIST, "Digital Signature Standard (DSS)", FIPS PUB 186-5, | |||
(DSS)", | DOI 10.6028/NIST.FIPS.186-5, February 2023, | |||
<https://csrc.nist.gov/publications/detail/fips/186/5/ | <https://csrc.nist.gov/pubs/fips/186-5/final>. | |||
draft>. | ||||
[I-D.ietf-netconf-http-client-server] | [HTTP-CLIENT-SERVER] | |||
Watsen, K., "YANG Groupings for HTTP Clients and HTTP | Watsen, K., "YANG Groupings for HTTP Clients and HTTP | |||
Servers", Work in Progress, Internet-Draft, draft-ietf- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
netconf-http-client-server-19, 1 March 2024, | netconf-http-client-server-23, 15 August 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
http-client-server-19>. | ||||
[I-D.ietf-netconf-netconf-client-server] | ||||
Watsen, K., "NETCONF Client and Server Models", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-netconf- | ||||
client-server-35, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
netconf-client-server-35>. | ||||
[I-D.ietf-netconf-restconf-client-server] | ||||
Watsen, K., "RESTCONF Client and Server Models", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-restconf- | ||||
client-server-35, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
restconf-client-server-35>. | ||||
[I-D.ietf-netconf-ssh-client-server] | ||||
Watsen, K., "YANG Groupings for SSH Clients and SSH | ||||
Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-ssh-client-server-39, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
ssh-client-server-39>. | ||||
[I-D.ietf-netconf-tcp-client-server] | ||||
Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | ||||
and TCP Servers", Work in Progress, Internet-Draft, draft- | ||||
ietf-netconf-tcp-client-server-23, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
tcp-client-server-23>. | ||||
[I-D.ietf-netconf-tls-client-server] | ||||
Watsen, K., "YANG Groupings for TLS Clients and TLS | ||||
Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-tls-client-server-40, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
tls-client-server-40>. | http-client-server-23>. | |||
[I-D.ietf-netmod-rfc8407bis] | ||||
Bierman, A., Boucadair, M., and Q. Wu, "Guidelines for | ||||
Authors and Reviewers of Documents Containing YANG Data | ||||
Models", Work in Progress, Internet-Draft, draft-ietf- | ||||
netmod-rfc8407bis-09, 28 February 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
rfc8407bis-09>. | ||||
[I-D.ietf-netmod-system-config] | ||||
Ma, Q., Wu, Q., and C. Feng, "System-defined | ||||
Configuration", Work in Progress, Internet-Draft, draft- | ||||
ietf-netmod-system-config-05, 21 February 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
system-config-05>. | ||||
[IANA-ENC-ALGS] | [IANA-ENC-ALGS] | |||
(IANA), I. A. N. A., "IANA "Encryption Algorithm Names" | IANA, "Encryption Algorithm Names", | |||
Sub-registry of the "Secure Shell (SSH) Protocol | <https://www.iana.org/assignments/ssh-parameters/>. | |||
Parameters" Registry", <https://www.iana.org/assignments/ | ||||
ssh-parameters/ssh-parameters.xhtml#ssh-parameters-17>. | ||||
[IANA-KEYEX-ALGS] | [IANA-KEYEX-ALGS] | |||
(IANA), I. A. N. A., "IANA "Key Exchange Method Names" | IANA, "Key Exchange Method Names", | |||
Sub-registry of the "Secure Shell (SSH) Protocol | <https://www.iana.org/assignments/ssh-parameters>. | |||
Parameters" Registry", <https://www.iana.org/assignments/ | ||||
ssh-parameters/ssh-parameters.xhtml#ssh-parameters-16>. | ||||
[IANA-MAC-ALGS] | [IANA-MAC-ALGS] | |||
(IANA), I. A. N. A., "IANA "MAC Algorithm Names" Sub- | IANA, "MAC Algorithm Names", | |||
registry of the "Secure Shell (SSH) Protocol Parameters" | <https://www.iana.org/assignments/ssh-parameters>. | |||
Registry", <https://www.iana.org/assignments/ssh- | ||||
parameters/ssh-parameters.xhtml#ssh-parameters-18>. | ||||
[IANA-PUBKEY-ALGS] | [IANA-PUBKEY-ALGS] | |||
(IANA), I. A. N. A., "IANA "Public Key Algorithm Names" | IANA, "Public Key Algorithm Names", | |||
Sub-registry of the "Secure Shell (SSH) Protocol | <https://www.iana.org/assignments/ssh-parameters/>. | |||
Parameters" Registry", <https://www.iana.org/assignments/ | ||||
ssh-parameters/ssh-parameters.xhtml#ssh-parameters-19>. | ||||
[IANA-YANG-PARAMETERS] | [IANA-YANG-PARAMETERS] | |||
"YANG Parameters", n.d., | IANA, "YANG Parameters", | |||
<https://www.iana.org/assignments/yang-parameters>. | <https://www.iana.org/assignments/yang-parameters>. | |||
[NETCONF-CLIENT-SERVER] | ||||
Watsen, K., "NETCONF Client and Server Models", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-netconf- | ||||
client-server-37, 14 August 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
netconf-client-server-37>. | ||||
[RESTCONF-CLIENT-SERVER] | ||||
Watsen, K., "RESTCONF Client and Server Models", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-restconf- | ||||
client-server-38, 14 August 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
restconf-client-server-38>. | ||||
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
<https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | ||||
and A. Bierman, Ed., "Network Configuration Protocol | ||||
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | ||||
<https://www.rfc-editor.org/info/rfc6241>. | ||||
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | ||||
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | ||||
<https://www.rfc-editor.org/info/rfc6242>. | ||||
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | ||||
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8040>. | ||||
[RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", | [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", | |||
RFC 8071, DOI 10.17487/RFC8071, February 2017, | RFC 8071, DOI 10.17487/RFC8071, February 2017, | |||
<https://www.rfc-editor.org/info/rfc8071>. | <https://www.rfc-editor.org/info/rfc8071>. | |||
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
Interchange Format", STD 90, RFC 8259, | ||||
DOI 10.17487/RFC8259, December 2017, | ||||
<https://www.rfc-editor.org/info/rfc8259>. | ||||
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
<https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | ||||
"Handling Long Lines in Content of Internet-Drafts and | ||||
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | ||||
<https://www.rfc-editor.org/info/rfc8792>. | ||||
[RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | ||||
and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, October | ||||
2024, <https://www.rfc-editor.org/info/rfc9643>. | ||||
[RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | ||||
Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024, | ||||
<https://www.rfc-editor.org/info/rfc9645>. | ||||
[SYSTEM-CONFIG] | ||||
Ma, Q., Wu, Q., and C. Feng, "System-defined | ||||
Configuration", Work in Progress, Internet-Draft, draft- | ||||
ietf-netmod-system-config-09, 29 September 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
system-config-09>. | ||||
[W3C.REC-xml-20081126] | ||||
Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | ||||
and F. Yergeau, "Extensible Markup Language (XML) 1.0 | ||||
(Fifth Edition)", World Wide Web Consortium | ||||
Recommendation REC-xml-20081126, November 2008, | ||||
<https://www.w3.org/TR/2008/REC-xml-20081126/>. | ||||
[YANG-GUIDE] | ||||
Bierman, A., Boucadair, M., and Q. Wu, "Guidelines for | ||||
Authors and Reviewers of Documents Containing YANG Data | ||||
Models", Work in Progress, Internet-Draft, draft-ietf- | ||||
netmod-rfc8407bis-17, 27 September 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
rfc8407bis-17>. | ||||
Appendix A. Script to Generate IANA-Maintained YANG Modules | Appendix A. Script to Generate IANA-Maintained YANG Modules | |||
This section is not Normative. | This section is not normative. | |||
The Python https://www.python.org script contained in this section | The Python <https://www.python.org> script contained in this section | |||
will create the four IANA-maintained modules described in this | will create the four IANA-maintained modules that are described (but | |||
document. | not contained) in this document. | |||
Run the script using the command `python gen-yang-modules.py`, to | Run the script using the command "python gen-yang-modules.py" to | |||
produce four YANG module files in the current directory. | produce four YANG module files in the current directory. | |||
Be aware that the script does not attempt to copy the "revision" | Be aware that the script does not attempt to copy the "revision" | |||
statements from the previous/current YANG module. Copying the | statements from the previous/current YANG module. Copying the | |||
revision statements must be done manually. | revision statements must be done manually. | |||
<CODE BEGINS> | <CODE BEGINS> | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
import re | import re | |||
skipping to change at page 74, line 26 ¶ | skipping to change at line 3187 ¶ | |||
# Metadata for the four YANG modules produced by this script | # Metadata for the four YANG modules produced by this script | |||
MODULES = [ | MODULES = [ | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-17.csv", | ssh-parameters-17.csv", | |||
"spaced_name": "encryption", | "spaced_name": "encryption", | |||
"hypenated_name": "encryption", | "hypenated_name": "encryption", | |||
"prefix": "sshea", | "prefix": "sshea", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the encryption algorithms | the encryption algorithms | |||
defined in the 'Encryption Algorithm Names' sub-registry of the | defined in the 'Encryption Algorithm Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""", | maintained by IANA.""", | |||
}, | }, | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-19.csv", | ssh-parameters-19.csv", | |||
"spaced_name": "public key", | "spaced_name": "public key", | |||
"hypenated_name": "public-key", | "hypenated_name": "public-key", | |||
"prefix": "sshpka", | "prefix": "sshpka", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the public key algorithms | the public key algorithms | |||
defined in the 'Public Key Algorithm Names' sub-registry of the | defined in the 'Public Key Algorithm Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""" | maintained by IANA.""" | |||
}, | }, | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-18.csv", | ssh-parameters-18.csv", | |||
"spaced_name": "mac", | "spaced_name": "mac", | |||
"hypenated_name": "mac", | "hypenated_name": "mac", | |||
"prefix": "sshma", | "prefix": "sshma", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the MAC algorithms | the MAC algorithms | |||
defined in the 'MAC Algorithm Names' sub-registry of the | defined in the 'MAC Algorithm Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""" | maintained by IANA.""" | |||
}, | }, | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-16.csv", | ssh-parameters-16.csv", | |||
"spaced_name": "key exchange", | "spaced_name": "key exchange", | |||
"hypenated_name": "key-exchange", | "hypenated_name": "key-exchange", | |||
"prefix": "sshkea", | "prefix": "sshkea", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the key exchange algorithms | the key exchange algorithms | |||
defined in the 'Key Exchange Method Names' sub-registry of the | defined in the 'Key Exchange Method Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""" | maintained by IANA.""" | |||
}, | }, | |||
] | ] | |||
def create_module_begin(module, f): | def create_module_begin(module, f): | |||
# Define template for all four modules | # Define template for all four modules | |||
PREAMBLE_TEMPLATE=""" | PREAMBLE_TEMPLATE=""" | |||
module iana-ssh-HNAME-algs { | module iana-ssh-HNAME-algs { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-HNAME-algs"; | namespace "urn:ietf:params:xml:ns:yang:iana-ssh-HNAME-algs"; | |||
skipping to change at page 75, line 44 ¶ | skipping to change at line 3253 ¶ | |||
12025 Waterfront Drive, Suite 300 | 12025 Waterfront Drive, Suite 300 | |||
Los Angeles, CA 90094-2536 | Los Angeles, CA 90094-2536 | |||
United States of America | United States of America | |||
Tel: +1 310 301 5800 | Tel: +1 310 301 5800 | |||
Email: iana@iana.org"; | Email: iana@iana.org"; | |||
description | description | |||
DESCRIPTION | DESCRIPTION | |||
Copyright (c) YEAR IETF Trust and the persons identified as | Copyright (c) YEAR IETF Trust and the persons identified as | |||
authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
The initial version of this YANG module is part of RFC EEEE | The initial version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices. | |||
All versions of this module are published by IANA at | All versions of this module are published by IANA at | |||
https://www.iana.org/assignments/yang-parameters."; | https://www.iana.org/assignments/yang-parameters."; | |||
revision DATE { | revision DATE { | |||
description | description | |||
"This initial version of the module was created using | "This initial version of the module was created using | |||
the script defined in RFC EEEE to reflect the contents | the script defined in RFC 9644 to reflect the contents | |||
of the SNAME algorithms registry maintained by IANA."; | of the SNAME algorithms registry maintained by IANA."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-HNAME-algorithm { | typedef ssh-HNAME-algorithm { | |||
type enumeration { | type enumeration { | |||
""" | """ | |||
# Replacements | # Replacements | |||
rep = { | rep = { | |||
"DATE": datetime.today().strftime('%Y-%m-%d'), | "DATE": datetime.today().strftime('%Y-%m-%d'), | |||
"YEAR": datetime.today().strftime('%Y'), | "YEAR": datetime.today().strftime('%Y'), | |||
"SNAME": module["spaced_name"], | "SNAME": module["spaced_name"], | |||
skipping to change at page 79, line 48 ¶ | skipping to change at line 3444 ¶ | |||
algorithms.";\n') | algorithms.";\n') | |||
f.write(" }\n") | f.write(" }\n") | |||
f.write('\n') | f.write('\n') | |||
f.write('}\n') | f.write('}\n') | |||
def create_module(module): | def create_module(module): | |||
# Install cache for 8x speedup | # Install cache for 8x speedup | |||
requests_cache.install_cache() | requests_cache.install_cache() | |||
# ascertain yang module's name | # Ascertain YANG module's name | |||
yang_module_name = "iana-ssh-" + module["hypenated_name"] + "-al\ | yang_module_name = "iana-ssh-" + module["hypenated_name"] + "-al\ | |||
gs.yang" | gs.yang" | |||
# create yang module file | ||||
# Create YANG module file | ||||
with open(yang_module_name, "w") as f: | with open(yang_module_name, "w") as f: | |||
create_module_begin(module, f) | create_module_begin(module, f) | |||
create_module_body(module, f) | create_module_body(module, f) | |||
create_module_end(module, f) | create_module_end(module, f) | |||
def main(): | def main(): | |||
for module in MODULES: | for module in MODULES: | |||
create_module(module) | create_module(module) | |||
if __name__ == "__main__": | if __name__ == "__main__": | |||
main() | main() | |||
<CODE ENDS> | <CODE ENDS> | |||
A.1. Initial Module for the "Encryption Algorithm Names" Registry | ||||
Following are the complete contents to the initial IANA-maintained | ||||
YANG module. Please note that the date "2024-03-16" reflects the day | ||||
on which the extraction occurred. Applications SHOULD use the IANA- | ||||
maintained module, not the module defined in this draft. | ||||
This YANG module has normative references to [FIPS 46-3], [RFC4253], | ||||
[RFC4344], [RFC5647], and [RFC8758]. | ||||
<CODE BEGINS> file "iana-ssh-encryption-algs@2024-03-16.yang" | ||||
module iana-ssh-encryption-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs"; | ||||
prefix sshea; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the encryption algorithms | ||||
defined in the 'Encryption Algorithm Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the encryption algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-encryption-algorithm { | ||||
type enumeration { | ||||
enum 3des-cbc { | ||||
description | ||||
"Enumeration for the '3des-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum blowfish-cbc { | ||||
description | ||||
"Enumeration for the 'blowfish-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish256-cbc { | ||||
description | ||||
"Enumeration for the 'twofish256-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish-cbc { | ||||
description | ||||
"Enumeration for the 'twofish-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish192-cbc { | ||||
description | ||||
"Enumeration for the 'twofish192-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish128-cbc { | ||||
description | ||||
"Enumeration for the 'twofish128-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum aes256-cbc { | ||||
description | ||||
"Enumeration for the 'aes256-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum aes192-cbc { | ||||
description | ||||
"Enumeration for the 'aes192-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum aes128-cbc { | ||||
description | ||||
"Enumeration for the 'aes128-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum serpent256-cbc { | ||||
description | ||||
"Enumeration for the 'serpent256-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum serpent192-cbc { | ||||
description | ||||
"Enumeration for the 'serpent192-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum serpent128-cbc { | ||||
description | ||||
"Enumeration for the 'serpent128-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum arcfour { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'arcfour' algorithm."; | ||||
reference | ||||
"RFC 8758: | ||||
Deprecating RC4 in Secure Shell (SSH)"; | ||||
} | ||||
enum idea-cbc { | ||||
description | ||||
"Enumeration for the 'idea-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum cast128-cbc { | ||||
description | ||||
"Enumeration for the 'cast128-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum none { | ||||
description | ||||
"Enumeration for the 'none' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum des-cbc { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'des-cbc' algorithm."; | ||||
reference | ||||
"FIPS-46-3: | ||||
Data Encryption Standard (DES)"; | ||||
} | ||||
enum arcfour128 { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'arcfour128' algorithm."; | ||||
reference | ||||
"RFC 8758: | ||||
Deprecating RC4 in Secure Shell (SSH)"; | ||||
} | ||||
enum arcfour256 { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'arcfour256' algorithm."; | ||||
reference | ||||
"RFC 8758: | ||||
Deprecating RC4 in Secure Shell (SSH)"; | ||||
} | ||||
enum aes128-ctr { | ||||
description | ||||
"Enumeration for the 'aes128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum aes192-ctr { | ||||
description | ||||
"Enumeration for the 'aes192-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum aes256-ctr { | ||||
description | ||||
"Enumeration for the 'aes256-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum 3des-ctr { | ||||
description | ||||
"Enumeration for the '3des-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum blowfish-ctr { | ||||
description | ||||
"Enumeration for the 'blowfish-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum twofish128-ctr { | ||||
description | ||||
"Enumeration for the 'twofish128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum twofish192-ctr { | ||||
description | ||||
"Enumeration for the 'twofish192-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum twofish256-ctr { | ||||
description | ||||
"Enumeration for the 'twofish256-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum serpent128-ctr { | ||||
description | ||||
"Enumeration for the 'serpent128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum serpent192-ctr { | ||||
description | ||||
"Enumeration for the 'serpent192-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum serpent256-ctr { | ||||
description | ||||
"Enumeration for the 'serpent256-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum idea-ctr { | ||||
description | ||||
"Enumeration for the 'idea-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum cast128-ctr { | ||||
description | ||||
"Enumeration for the 'cast128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum AEAD_AES_128_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_128_GCM' algorithm. Section | ||||
6.1"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum AEAD_AES_256_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_256_GCM' algorithm. Section | ||||
6.2"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH encryption algorithms."; | ||||
} | ||||
} | ||||
<CODE ENDS> | ||||
A.2. Initial Module for the "MAC Algorithm Names" Registry | ||||
Following are the complete contents to the initial IANA-maintained | ||||
YANG module. Please note that the date "2024-03-16" reflects the day | ||||
on which the extraction occurred. Applications SHOULD use the IANA- | ||||
maintained module, not the module defined in this draft. | ||||
This YANG module has normative references [RFC4253], [RFC5647], and | ||||
[RFC6668]. | ||||
<CODE BEGINS> file "iana-ssh-mac-algs@2024-03-16.yang" | ||||
module iana-ssh-mac-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs"; | ||||
prefix sshma; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the MAC algorithms | ||||
defined in the 'MAC Algorithm Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the mac algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-mac-algorithm { | ||||
type enumeration { | ||||
enum hmac-sha1 { | ||||
description | ||||
"Enumeration for the 'hmac-sha1' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-sha1-96 { | ||||
description | ||||
"Enumeration for the 'hmac-sha1-96' algorithm. Section | ||||
6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-md5 { | ||||
description | ||||
"Enumeration for the 'hmac-md5' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-md5-96 { | ||||
description | ||||
"Enumeration for the 'hmac-md5-96' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum none { | ||||
description | ||||
"Enumeration for the 'none' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum AEAD_AES_128_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_128_GCM' algorithm. Section | ||||
6.1"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum AEAD_AES_256_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_256_GCM' algorithm. Section | ||||
6.2"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum hmac-sha2-256 { | ||||
description | ||||
"Enumeration for the 'hmac-sha2-256' algorithm. Section 2"; | ||||
reference | ||||
"RFC 6668: | ||||
SHA-2 Data Integrity Verification for the Secure Shell | ||||
(SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-sha2-512 { | ||||
description | ||||
"Enumeration for the 'hmac-sha2-512' algorithm. Section 2"; | ||||
reference | ||||
"RFC 6668: | ||||
SHA-2 Data Integrity Verification for the Secure Shell | ||||
(SSH) Transport Layer Protocol"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH mac algorithms."; | ||||
} | ||||
} | ||||
<CODE ENDS> | ||||
A.3. Initial Module for the "Public Key Algorithm Names" Registry | ||||
Following are the complete contents to the initial IANA-maintained | ||||
YANG module. Please note that the date "2024-03-16" reflects the day | ||||
on which the extraction occurred. Applications SHOULD use the IANA- | ||||
maintained module, not the module defined in this draft. | ||||
This YANG module has normative references [RFC4253], [RFC4462], | ||||
[RFC5656], [RFC6187], [RFC8332], and [RFC8709]. | ||||
<CODE BEGINS> file "iana-ssh-public-key-algs@2024-03-16.yang" | ||||
module iana-ssh-public-key-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs"; | ||||
prefix sshpka; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the public key algorithms | ||||
defined in the 'Public Key Algorithm Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the public key algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-public-key-algorithm { | ||||
type enumeration { | ||||
enum ssh-dss { | ||||
description | ||||
"Enumeration for the 'ssh-dss' algorithm. Section 6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum ssh-rsa { | ||||
description | ||||
"Enumeration for the 'ssh-rsa' algorithm. Section 6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum rsa-sha2-256 { | ||||
description | ||||
"Enumeration for the 'rsa-sha2-256' algorithm. Section 3"; | ||||
reference | ||||
"RFC 8332: | ||||
Use of RSA Keys with SHA-256 and SHA-512 in the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
enum rsa-sha2-512 { | ||||
description | ||||
"Enumeration for the 'rsa-sha2-512' algorithm. Section 3"; | ||||
reference | ||||
"RFC 8332: | ||||
Use of RSA Keys with SHA-256 and SHA-512 in the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
enum spki-sign-rsa { | ||||
description | ||||
"Enumeration for the 'spki-sign-rsa' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum spki-sign-dss { | ||||
description | ||||
"Enumeration for the 'spki-sign-dss' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum pgp-sign-rsa { | ||||
description | ||||
"Enumeration for the 'pgp-sign-rsa' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum pgp-sign-dss { | ||||
description | ||||
"Enumeration for the 'pgp-sign-dss' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum null { | ||||
description | ||||
"Enumeration for the 'null' algorithm. Section 5"; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol"; | ||||
} | ||||
enum ecdsa-sha2-nistp256 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-nistp256' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-nistp384 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-nistp384' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-nistp521 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-nistp521' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.1' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.33' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.26' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.27' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.16' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.36' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.37' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.38' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum x509v3-ssh-dss { | ||||
description | ||||
"Enumeration for the 'x509v3-ssh-dss' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ssh-rsa { | ||||
description | ||||
"Enumeration for the 'x509v3-ssh-rsa' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-rsa2048-sha256 { | ||||
description | ||||
"Enumeration for the 'x509v3-rsa2048-sha256' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-nistp256 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-nistp384 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-nistp521 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa- | ||||
sha2-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum ssh-ed25519 { | ||||
description | ||||
"Enumeration for the 'ssh-ed25519' algorithm."; | ||||
reference | ||||
"RFC 8709: | ||||
Ed25519 and Ed448 Public Key Algorithms for the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
enum ssh-ed448 { | ||||
description | ||||
"Enumeration for the 'ssh-ed448' algorithm."; | ||||
reference | ||||
"RFC 8709: | ||||
Ed25519 and Ed448 Public Key Algorithms for the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH public key algorithms."; | ||||
} | ||||
} | ||||
<CODE ENDS> | ||||
A.4. Initial Module for the "Key Exchange Method Names" Registry | ||||
Following are the complete contents to the initial IANA-maintained | ||||
YANG module. Please note that the date "2024-03-16" reflects the day | ||||
on which the extraction occurred. Applications SHOULD use the IANA- | ||||
maintained module, not the module defined in this draft. | ||||
This YANG module has normative references to [RFC4419], [RFC4432], | ||||
[RFC5656], [RFC8268], [RFC8308], [RFC8731], [RFC8732]. | ||||
<CODE BEGINS> file "iana-ssh-key-exchange-algs@2024-03-16.yang" | ||||
module iana-ssh-key-exchange-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs"; | ||||
prefix sshkea; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the key exchange algorithms | ||||
defined in the 'Key Exchange Method Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the key exchange algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-key-exchange-algorithm { | ||||
type enumeration { | ||||
enum diffie-hellman-group-exchange-sha1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group-exchange-sha1' | ||||
algorithm. Section 4.1"; | ||||
reference | ||||
"RFC 4419: | ||||
Diffie-Hellman Group Exchange for the Secure Shell | ||||
(SSH) Transport Layer Protocol | ||||
RFC 8270: | ||||
Increase the Secure Shell Minimum Recommended Diffie- | ||||
Hellman Modulus Size to 2048 Bits"; | ||||
} | ||||
enum diffie-hellman-group-exchange-sha256 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group-exchange-sha256' | ||||
algorithm. Section 4.2"; | ||||
reference | ||||
"RFC 4419: | ||||
Diffie-Hellman Group Exchange for the Secure Shell | ||||
(SSH) Transport Layer Protocol | ||||
RFC 8270: | ||||
Increase the Secure Shell Minimum Recommended Diffie- | ||||
Hellman Modulus Size to 2048 Bits"; | ||||
} | ||||
enum diffie-hellman-group1-sha1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group1-sha1' | ||||
algorithm. Section 8.1"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum diffie-hellman-group14-sha1 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group14-sha1' | ||||
algorithm. Section 8.2"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum diffie-hellman-group14-sha256 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group14-sha256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group15-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group15-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group16-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group16-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group17-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group17-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group18-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group18-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum ecdh-sha2-nistp256 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-nistp256' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-nistp384 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-nistp384' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-nistp521 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-nistp521' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.1' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.33' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.26' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.27' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.16' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.36' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.37' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.38' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecmqv-sha2 { | ||||
description | ||||
"Enumeration for the 'ecmqv-sha2' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum gss-group1-sha1-nistp256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-nistp384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-nistp521 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.2.840.10045.3.1.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.33 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.26 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.27 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.16 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.36 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.37 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.38 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-nistp256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-nistp384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-nistp521 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.2.840.10045.3.1.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.33 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.26 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.27 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.16 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.36 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.37 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.38 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-nistp256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-nistp256' algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-nistp384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-nistp384' algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-nistp521 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-nistp521' algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.2.840.10045.3.1.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.33 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.26 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.27 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.16 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.36 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.37 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.38 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss- { | ||||
description | ||||
"Enumeration for the 'gss-' algorithm. Section 2.6"; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol"; | ||||
} | ||||
enum rsa1024-sha1 { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'rsa1024-sha1' algorithm."; | ||||
reference | ||||
"RFC 4432: | ||||
RSA Key Exchange for the Secure Shell (SSH) Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum rsa2048-sha256 { | ||||
description | ||||
"Enumeration for the 'rsa2048-sha256' algorithm."; | ||||
reference | ||||
"RFC 4432: | ||||
RSA Key Exchange for the Secure Shell (SSH) Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum ext-info-s { | ||||
description | ||||
"Enumeration for the 'ext-info-s' algorithm. Section 2"; | ||||
reference | ||||
"RFC 8308: | ||||
Extension Negotiation in the Secure Shell (SSH) | ||||
Protocol"; | ||||
} | ||||
enum ext-info-c { | ||||
description | ||||
"Enumeration for the 'ext-info-c' algorithm. Section 2"; | ||||
reference | ||||
"RFC 8308: | ||||
Extension Negotiation in the Secure Shell (SSH) | ||||
Protocol"; | ||||
} | ||||
enum gss-group14-sha256-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group14-sha256-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group15-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group16-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group17-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group18-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
nistp256-sha256-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
nistp384-sha384-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
nistp521-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
curve25519-sha256-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
curve448-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum curve25519-sha256 { | ||||
description | ||||
"Enumeration for the 'curve25519-sha256' algorithm."; | ||||
reference | ||||
"RFC 8731: | ||||
Secure Shell (SSH) Key Exchange Method Using | ||||
Curve25519 and Curve448"; | ||||
} | ||||
enum curve448-sha512 { | ||||
description | ||||
"Enumeration for the 'curve448-sha512' algorithm."; | ||||
reference | ||||
"RFC 8731: | ||||
Secure Shell (SSH) Key Exchange Method Using | ||||
Curve25519 and Curve448"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH key exchange algorithms."; | ||||
} | ||||
} | ||||
<CODE ENDS> | ||||
Appendix B. Change Log | ||||
B.1. 00 to 01 | ||||
* Noted that '0.0.0.0' and '::' might have special meanings. | ||||
* Renamed "keychain" to "keystore". | ||||
B.2. 01 to 02 | ||||
* Removed the groupings 'listening-ssh-client-grouping' and | ||||
'listening-ssh-server-grouping'. Now modules only contain the | ||||
transport-independent groupings. | ||||
* Simplified the "client-auth" part in the ietf-ssh-client module. | ||||
It now inlines what it used to point to keystore for. | ||||
* Added cipher suites for various algorithms into new 'ietf-ssh- | ||||
common' module. | ||||
B.3. 02 to 03 | ||||
* Removed 'RESTRICTED' enum from 'password' leaf type. | ||||
* Added a 'must' statement to container 'server-auth' asserting that | ||||
at least one of the various auth mechanisms must be specified. | ||||
* Fixed description statement for leaf 'trusted-ca-certs'. | ||||
B.4. 03 to 04 | ||||
* Change title to "YANG Groupings for SSH Clients and SSH Servers" | ||||
* Added reference to RFC 6668 | ||||
* Added RFC 8174 to Requirements Language Section. | ||||
* Enhanced description statement for ietf-ssh-server's "trusted-ca- | ||||
certs" leaf. | ||||
* Added mandatory true to ietf-ssh-client's "client-auth" 'choice' | ||||
statement. | ||||
* Changed the YANG prefix for module ietf-ssh-common from 'sshcom' | ||||
to 'sshcmn'. | ||||
* Removed the compression algorithms as they are not commonly | ||||
configurable in vendors' implementations. | ||||
* Updating descriptions in transport-params-grouping and the | ||||
servers's usage of it. | ||||
* Now tree diagrams reference ietf-netmod-yang-tree-diagrams | ||||
* Updated YANG to use typedefs around leafrefs to common keystore | ||||
paths | ||||
* Now inlines key and certificates (no longer a leafref to keystore) | ||||
B.5. 04 to 05 | ||||
* Merged changes from co-author. | ||||
B.6. 05 to 06 | ||||
* Updated to use trust anchors from trust-anchors draft (was | ||||
keystore draft) | ||||
* Now uses new keystore grouping enabling asymmetric key to be | ||||
either locally defined or a reference to the keystore. | ||||
B.7. 06 to 07 | ||||
* factored the ssh-[client|server]-groupings into more reusable | ||||
groupings. | ||||
* added if-feature statements for the new "ssh-host-keys" and | ||||
"x509-certificates" features defined in draft-ietf-netconf-trust- | ||||
anchors. | ||||
B.8. 07 to 08 | ||||
* Added a number of compatibility matrices to Section 5 (thanks | ||||
Frank!) | ||||
* Clarified that any configured "host-key-alg" values need to be | ||||
compatible with the configured private key. | ||||
B.9. 08 to 09 | ||||
* Updated examples to reflect update to groupings defined in the | ||||
keystore -09 draft. | ||||
* Add SSH keepalives features and groupings. | ||||
* Prefixed top-level SSH grouping nodes with 'ssh-' and support | ||||
mashups. | ||||
* Updated copyright date, boilerplate template, affiliation, and | ||||
folding algorithm. | ||||
B.10. 09 to 10 | ||||
* Reformatted the YANG modules. | ||||
B.11. 10 to 11 | ||||
* Reformatted lines causing folding to occur. | ||||
B.12. 11 to 12 | ||||
* Collapsed all the inner groupings into the top-level grouping. | ||||
* Added a top-level "demux container" inside the top-level grouping. | ||||
* Added NACM statements and updated the Security Considerations | ||||
section. | ||||
* Added "presence" statements on the "keepalive" containers, as was | ||||
needed to address a validation error that appeared after adding | ||||
the "must" statements into the NETCONF/RESTCONF client/server | ||||
modules. | ||||
* Updated the boilerplate text in module-level "description" | ||||
statement to match copyeditor convention. | ||||
B.13. 12 to 13 | ||||
* Removed the "demux containers", floating the nacm:default-deny- | ||||
write to each descendant node, and adding a note to model | ||||
designers regarding the potential need to add their own demux | ||||
containers. | ||||
* Fixed a couple references (section 2 --> section 3) | ||||
* In the server model, replaced <client-cert-auth> with <client- | ||||
authentication> and introduced 'inline-or-external' choice. | ||||
B.14. 13 to 14 | ||||
* Updated to reflect changes in trust-anchors drafts (e.g., s/trust- | ||||
anchors/truststore/g + s/pinned.//) | ||||
B.15. 14 to 15 | ||||
* Updated examples to reflect ietf-crypto-types change (e.g., | ||||
identities --> enumerations) | ||||
* Updated "server-authentication" and "client-authentication" nodes | ||||
from being a leaf of type "ts:host-keys-ref" or "ts:certificates- | ||||
ref" to a container that uses "ts:inline-or-truststore-host-keys- | ||||
grouping" or "ts:inline-or-truststore-certs-grouping". | ||||
B.16. 15 to 16 | ||||
* Removed unnecessary if-feature statements in the -client and | ||||
-server modules. | ||||
* Cleaned up some description statements in the -client and -server | ||||
modules. | ||||
* Fixed a canonical ordering issue in ietf-ssh-common detected by | ||||
new pyang. | ||||
B.17. 16 to 17 | ||||
* Removed choice inline-or-external by removing the 'external' case | ||||
and flattening the 'local' case and adding a "local-users- | ||||
supported" feature. | ||||
* Updated examples to include the "*-key-format" nodes. | ||||
* Augmented-in "must" expressions ensuring that locally-defined | ||||
public-key-format are "ct:ssh-public-key-format" (must expr for | ||||
ref'ed keys are TBD). | ||||
B.18. 17 to 18 | ||||
* Removed leaf-list 'other' from ietf-ssh-server. | ||||
* Removed unused 'external-client-auth-supported' feature. | ||||
* Added features client-auth-password, client-auth-hostbased, and | ||||
client-auth-none. | ||||
* Renamed 'host-key' to 'public-key' for when refering to | ||||
'publickey' based auth. | ||||
* Added new feature-protected 'hostbased' and 'none' to the 'user' | ||||
node's config. | ||||
* Added new feature-protected 'hostbased' and 'none' to the 'client- | ||||
identity' node's config. | ||||
* Updated examples to reflect new "bag" addition to truststore. | ||||
* Refined truststore/keystore groupings to ensure the key formats | ||||
"must" be particular values. | ||||
* Switched to using truststore's new "public-key" bag (instead of | ||||
separate "ssh-public-key" and "raw-public-key" bags. | ||||
* Updated client/server examples to cover ALL cases (local/ref x | ||||
cert/raw-key/psk). | ||||
B.19. 18 to 19 | ||||
* Updated the "keepalives" containers to address Michal Vasko's | ||||
request to align with RFC 8071. | ||||
* Removed algorithm-mapping tables from the "SSH Common Model" | ||||
section | ||||
* Removed 'algorithm' node from examples. | ||||
* Added feature "userauth-publickey" | ||||
* Removed "choice auth-type", as auth-types are not exclusive. | ||||
* Renamed both "client-certs" and "server-certs" to "ee-certs" | ||||
* Switch "must" to assert the public-key-format is "subject-public- | ||||
key-info-format" when certificates are used. | ||||
* Added a "Note to Reviewers" note to first page. | ||||
B.20. 19 to 20 | ||||
* Added a "must 'public-key or password or hostbased or none or | ||||
certificate'" statement to the "user" node in ietf-ssh-client | ||||
* Expanded "Data Model Overview section(s) [remove "wall" of tree | ||||
diagrams]. | ||||
* Moved the "ietf-ssh-common" module section to proceed the other | ||||
two module sections. | ||||
* Updated the Security Considerations section. | ||||
B.21. 20 to 21 | ||||
* Updated examples to reflect new "cleartext-" prefix in the crypto- | ||||
types draft. | ||||
B.22. 21 to 22 | ||||
* Cleaned up the SSH-client examples (i.e., removing FIXMEs) | ||||
* Fixed issues found by the SecDir review of the "keystore" draft. | ||||
* Updated the "ietf-ssh-client" module to use the new "password- | ||||
grouping" grouping from the "crypto-types" module. | ||||
B.23. 22 to 23 | ||||
* Addressed comments raised by YANG Doctor in the ct/ts/ks drafts. | ||||
B.24. 23 to 24 | ||||
* Removed the 'supported-authentication-methods' from {grouping ssh- | ||||
server-grouping}/client-authentication. | ||||
* Added XML-comment above examples explaining the reason for the | ||||
unexepected top-most element's presence. | ||||
* Added RFC-references to various 'feature' statements. | ||||
* Renamed "credentials" to "authentication methods" | ||||
* Renamed "client-auth-*" to "userauth-*" | ||||
* Renamed "client-identity-*" to "userauth-*" | ||||
* Fixed nits found by YANG Doctor reviews. | ||||
* Aligned modules with `pyang -f` formatting. | ||||
* Added a 'Contributors' section. | ||||
B.25. 24 to 25 | ||||
* Moved algorithms in ietf-ssh-common (plus more) to IANA-maintained | ||||
modules | ||||
* Added "config false" lists for algorithms supported by the server. | ||||
* Renamed "{ietf-ssh-client}userauth-*" to "client-ident-*" | ||||
* Renamed "{ietf-ssh-server}userauth-*" to "local-user-auth-*" | ||||
* Fixed issues found during YANG Doctor review. | ||||
* Fixed issues found during Secdir review. | ||||
B.26. 25 to 26 | ||||
* Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples. | ||||
* Minor editorial nits | ||||
B.27. 26 to 27 | ||||
* Fixed up the 'WG Web' and 'WG List' lines in YANG module(s) | ||||
* Fixed up copyright (i.e., s/Simplified/Revised/) in YANG module(s) | ||||
* Created identityref-based typedefs for each of the four IANA alg | ||||
identity bases. | ||||
* Added ietf-ssh-common:generate-asymmetric-key-pair() RPC for | ||||
discussion. | ||||
B.28. 27 to 28 | ||||
* Fixed example to not have line-returns around "identity" values. | ||||
* Fixed examples to not include "xmlns:algs". | ||||
* Added an example for the "generate-asymmetric-key-pair" RPC. | ||||
B.29. 28 to 29 | ||||
* Updated modules to IANA-maintained modules in Appendix A to | ||||
2022-06-16. | ||||
B.30. 29 to 30 | ||||
* Fixed 'must' expressions. | ||||
* Added missing 'revision' statement. | ||||
B.31. 30 to 31 | ||||
* Updated per Shepherd reviews impacting the suite of drafts. | ||||
B.32. 31 to 32 | ||||
* Updated per Shepherd reviews impacting the suite of drafts. | ||||
B.33. 32 to 33 | ||||
* Updated per Tom Petch review. | ||||
* Updated Intro to clarify what "generic" means. | ||||
* Added RPC-reply for 'generate-asymmetric-key-pair' example. | ||||
* Added references to RFC 4251 and FIPS 186-6. | ||||
* Added "if-feature ct:encrypted-private-keys" for "case cleartext". | ||||
B.34. 33 to 34 | ||||
* Addresses AD review comments. | ||||
* Added note to Editor to fix line foldings. | ||||
* Introduction now more clearly identifies the "ietf-" and "iana-" | ||||
modules defined. | ||||
* Clarified that the modules, when implemented, do not define any | ||||
protocol-accessible nodes. | ||||
* Clarified that IANA may deprecate and/or obsolete identities over | ||||
time. | ||||
* Added Security Consideration for the "generate-asymmetric-key- | ||||
pair" RPC. | ||||
* Added Security Considerations text to also look a SC-section from | ||||
imported modules. | ||||
* Fixed private-key "must" expressions to not require public-key | ||||
nodes to be present. | ||||
* Renamed leaf from "bits" to "num-bits". | ||||
* Renamed leaf from "hide" to "hidden". | ||||
* Added container "private-key-encoding" to wrap existing choice. | ||||
* Removed "public-key-format" and "public-key" nodes from examples. | ||||
B.35. 34 to 35 | ||||
* Addresses AD review by Rob Wilton. | ||||
B.36. 35 to 36 | ||||
* Addresses 1st-round of IESG reviews. | ||||
B.37. 36 to 38 | ||||
* Addresses issues found in OpsDir review of the ssh-client-server | ||||
draft. | ||||
* Replaced identities with enums in the IANA modules. | ||||
* Updated per Elwyn Davies' Gen-ART review. | ||||
* Updated Introduction to read more like the Abstract | ||||
* Add refs to where the 'operational' and 'system' datastores are | ||||
defined. | ||||
* Updated Editor-notes to NOT remove the script (just remove the | ||||
initial IANA modules) | ||||
* Renamed Security Considerations section s/Template for/ | ||||
Considerations for/ | ||||
* s/defines/presents/ in a few places. | ||||
* Renamed script from 'gen-identities.py' to 'gen-yang-modules.py' | ||||
* Removed the removeInRFC="true" attribute in Appendix sections | ||||
B.38. 38 to 39 | ||||
* Address IESG review comments. | ||||
B.39. 39 to 40 | ||||
* Updated to reflect comments from Paul Wouters. | ||||
* Fixed the "generate-asymmetric-key-pair" RPC to return the | ||||
location to where hidden keys are created. | ||||
Acknowledgements | Acknowledgements | |||
The authors would like to thank the following for lively discussions | The authors would like to thank the following for lively discussions | |||
on list and in the halls (ordered by first name): Alan Luchuk, Andy | on list and in the halls (ordered by first name): Alan Luchuk, Andy | |||
Bierman, Balázs Kovács, Barry Leiba, Benoit Claise, Bert Wijnen, | Bierman, Balázs Kovács, Barry Leiba, Benoit Claise, Bert Wijnen, | |||
David Lamparter, Elwyn Davies, Gary Wu, Jürgen Schönwälder, Ladislav | David Lamparter, Elwyn Davies, Gary Wu, Jürgen Schönwälder, Ladislav | |||
Lhotka, Liang Xia, Martin Björklund, Martin Thomson, Mehmet Ersue, | Lhotka, Liang Xia, Martin Björklund, Martin Thomson, Mehmet Ersue, | |||
Michal Vaško, Murray Kucherawy, Paul Wouters, Per Andersson, Phil | Michal Vaško, Murray Kucherawy, Paul Wouters, Per Andersson, Phil | |||
Shafer, Qin Wun, Radek Krejci, Rob Wilton, Roman Danyliw, Russ | Shafer, Qin Wun, Radek Krejci, Rob Wilton, Roman Danyliw, Russ | |||
Housley, Sean Turner, Tom Petch, Thomas Martin, and Warren Kumari. | Housley, Sean Turner, Thomas Martin, Tom Petch, and Warren Kumari. | |||
Contributors | Contributors | |||
Special acknowledgement goes to Gary Wu for his work on the "ietf- | Special acknowledgement goes to Gary Wu for his work on the "ietf- | |||
ssh-common" module. | ssh-common" module. | |||
Author's Address | Author's Address | |||
Kent Watsen | Kent Watsen | |||
Watsen Networks | Watsen Networks | |||
End of changes. 337 change blocks. | ||||
4408 lines changed or deleted | 787 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |