rfc9644.original.xml | rfc9644.xml | |||
---|---|---|---|---|
<?xml version='1.0' encoding='utf-8'?> | <?xml version='1.0' encoding='UTF-8'?> | |||
<!DOCTYPE rfc [ | <!DOCTYPE rfc [ | |||
<!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
<!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
<!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
<!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
]> | ]> | |||
<?rfc toc="yes"?> | ||||
<?rfc symrefs="yes"?> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true" | |||
<?rfc sortrefs="yes" ?> | submissionType="IETF" docName="draft-ietf-netconf-ssh-client-server-40" number=" | |||
<?rfc compact="yes"?> | 9644" updates="" obsoletes="" ipr="trust200902" tocInclude="true" symRefs="true" | |||
<?rfc subcompact="no"?> | sortRefs="true" version="3" > | |||
<?rfc linkmailto="no" ?> | ||||
<?rfc editing="no" ?> | ||||
<?rfc comments="yes" ?> | ||||
<?rfc inline="yes"?> | ||||
<?rfc rfcedstyle="yes"?> | ||||
<?rfc-ext allow-markup-in-artwork="yes" ?> | ||||
<?rfc-ext include-index="no" ?> | ||||
<!--<?rfc strict="no"?> --> | ||||
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true" | ||||
submissionType="IETF" docName="draft-ietf-netconf-ssh-client-server-40" ipr="tru | ||||
st200902" tocInclude="true" symRefs="true" sortRefs="true" version="3"> | ||||
<!-- xml2rfc v2v3 conversion 3.17.4 --> | ||||
<front> | <front> | |||
<title abbrev="Groupings for SSH Clients and Servers">YANG Groupings for | ||||
SSH Clients and SSH Servers</title> | <title abbrev="Groupings for SSH Clients and Servers">YANG Groupings for SSH | |||
<seriesInfo name="Internet-Draft" value="draft-ietf-netconf-ssh-client-serve | Clients and SSH Servers</title> | |||
r-40"/> | <seriesInfo name="RFC" value="9644"/> | |||
<author fullname="Kent Watsen" initials="K." surname="Watsen"> | <author fullname="Kent Watsen" initials="K." surname="Watsen"> | |||
<organization>Watsen Networks</organization> | <organization>Watsen Networks</organization> | |||
<address> | <address> | |||
<email>kent+ietf@watsen.net</email> | <email>kent+ietf@watsen.net</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<date/> | <date month="October" year="2024"/> | |||
<area>Operations</area> | <area>OPS</area> | |||
<workgroup>NETCONF Working Group</workgroup> | <workgroup>netconf</workgroup> | |||
<abstract> | <abstract> | |||
<t>This document presents seven YANG 1.1 modules. Three IETF modules, | <t>This document presents three IETF-defined YANG modules and a script use | |||
and four supporting IANA modules.</t> | d to create four supporting IANA modules.</t> | |||
<t>The three IETF modules are: ietf-ssh-common, ietf-ssh-client, and | <t>The three IETF modules are ietf-ssh-common, ietf-ssh-client, and | |||
ietf-ssh-server. The "ietf-ssh-client" and "ietf-ssh-server" modules | ietf-ssh-server. The "ietf-ssh-client" and "ietf-ssh-server" modules | |||
are the primary productions of this work, supporting the configuration | are the primary productions of this work, supporting the configuration | |||
and monitoring of SSH clients and servers.</t> | and monitoring of Secure Shell (SSH) clients and servers.</t> | |||
<t>The four IANA modules are: iana-ssh-encryption-algs, iana-ssh-key-excha | <t>The four IANA modules are iana-ssh-encryption-algs, iana-ssh-key-exchan | |||
nge-algs, | ge-algs, | |||
iana-ssh-mac-algs, and iana-ssh-public-key-algs. These modules each | iana-ssh-mac-algs, and iana-ssh-public-key-algs. These modules each | |||
define YANG enumerations providing support for an IANA-maintained algori thm registry.</t> | define YANG enumerations providing support for an IANA-maintained algori thm registry.</t> | |||
</abstract> | </abstract> | |||
<note> | ||||
<name>Editorial Note (To be removed by RFC Editor)</name> | ||||
<t>This draft contains placeholder values that need to be replaced | ||||
with finalized values at the time of publication. This note summarizes | ||||
all of the substitutions that are needed. No other RFC Editor | ||||
instructions are specified elsewhere in this document.</t> | ||||
<t>Artwork in this document contains shorthand references to drafts in | ||||
progress. Please apply the following replacements: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<tt>AAAA</tt> --> the assigned RFC value for draft-ietf-netconf-cry | ||||
pto-types</li> | ||||
<li> | ||||
<tt>BBBB</tt> --> the assigned RFC value for draft-ietf-netconf-tru | ||||
st-anchors</li> | ||||
<li> | ||||
<tt>CCCC</tt> --> the assigned RFC value for draft-ietf-netconf-key | ||||
store</li> | ||||
<li> | ||||
<tt>DDDD</tt> --> the assigned RFC value for draft-ietf-netconf-tcp | ||||
-client-server</li> | ||||
<li> | ||||
<tt>EEEE</tt> --> the assigned RFC value for this draft</li> | ||||
</ul> | ||||
<t>Artwork in this document contains placeholder values for the date of | ||||
publication of this draft. Please apply the following replacement: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<tt>2024-03-16</tt> --> the publication date of this draft</li> | ||||
</ul> | ||||
<t>The "Relation to other RFCs" section <xref target="collective-effort"/> | ||||
contains | ||||
the text "one or more YANG modules" and, later, "modules". This text is | ||||
sourced | ||||
from a file in a context where it is unknown how many modules a draft de | ||||
fines. | ||||
The text is not wrong as is, but it may be improved by stating more dire | ||||
ctly how | ||||
many modules are defined.</t> | ||||
<t>The "Relation to other RFCs" section <xref target="collective-effort"/> | ||||
contains | ||||
a self-reference to this draft, along with a corresponding reference i | ||||
n | ||||
the Appendix. Please replace the self-reference in this section with | ||||
"This RFC" | ||||
(or similar) and remove the self-reference in the "Normative/Informati | ||||
ve References" | ||||
section, whichever it is in.</t> | ||||
<t>Tree-diagrams in this draft may use the '\' line-folding mode defined i | ||||
n RFC 8792. | ||||
However, nicer-to-the-eye is when the '\\' line-folding mode is used. | ||||
The AD suggested | ||||
suggested putting a request here for the RFC Editor to help convert "u | ||||
gly" '\' folded | ||||
examples to use the '\\' folding mode. "Help convert" may be interpre | ||||
ted as, identify | ||||
what looks ugly and ask the authors to make the adjustment.</t> | ||||
<t>The following Appendix sections are to be removed prior to publication: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<xref target="ssh-enc-algs-model"/>. Initial Module for the "Encrypti | ||||
on Algorithm Names" Registry</li> | ||||
<li> | ||||
<xref target="ssh-mac-algs-model"/>. Initial Module for the "MAC Algo | ||||
rithm Names" Registry</li> | ||||
<li> | ||||
<xref target="ssh-pubkey-algs-model"/>. Initial Module for the "Publi | ||||
c Key Algorithm Names" Registry</li> | ||||
<li> | ||||
<xref target="ssh-keyex-algs-model"/>. Initial Module for the "Key Ex | ||||
change Method Names" Registry</li> | ||||
<li> | ||||
<xref target="change-log"/>. Change Log</li> | ||||
</ul> | ||||
</note> | ||||
</front> | </front> | |||
<middle> | <middle> | |||
<section> | <section> | |||
<name>Introduction</name> | <name>Introduction</name> | |||
<t>This document presents seven YANG 1.1 <xref target="RFC7950"/> | <t>This document presents three IETF-defined YANG modules <xref target="RF | |||
modules. Three "IETF" modules and four "IANA" modules.</t> | C7950"/> and a script used to create four supporting IANA modules.</t> | |||
<t>The three IETF modules are ietf-ssh-common (<xref target="ssh-common-mo del"/>), | <t>The three IETF modules are ietf-ssh-common (<xref target="ssh-common-mo del"/>), | |||
ietf-ssh-client (<xref target="ssh-client-model"/>), and ietf-ssh-server | ietf-ssh-client (<xref target="ssh-client-model"/>), and ietf-ssh-server | |||
(<xref target="ssh-server-model"/>). The "ietf-ssh-client" and "ietf-ss h-server" | (<xref target="ssh-server-model"/>). The "ietf-ssh-client" and "ietf-ss h-server" | |||
modules are the primary productions of this work, supporting the configu ration | modules are the primary productions of this work, supporting the configu ration | |||
and monitoring of SSH clients and servers.</t> | and monitoring of SSH clients and servers.</t> | |||
<t>The groupings defined in this document are expected to be used in | <t>The groupings defined in this document are expected to be used in | |||
conjunction with the groupings defined in an underlying transport-level | conjunction with the groupings defined in an underlying transport-level | |||
module, such as the groupings defined in <xref target="I-D.ietf-netconf- tcp-client-server"/>. | module, such as the groupings defined in <xref target="RFC9643"/>. | |||
The transport-level data model enables the configuration of transport-le vel | The transport-level data model enables the configuration of transport-le vel | |||
values such as a remote address, a remote port, a local address, and a | values, such as a remote address, a remote port, a local address, and a | |||
local port.</t> | local port.</t> | |||
<t>The four IANA modules are: iana-ssh-encryption-algs (<xref target="ssh- | <t>The four IANA modules are: iana-ssh-encryption-algs, | |||
enc-algs-model"/>), | iana-ssh-key-exchange-algs, | |||
iana-ssh-key-exchange-algs (<xref target="ssh-keyex-algs-model"/>), | iana-ssh-mac-algs, and iana-ssh-public-key-algs. These modules each def | |||
iana-ssh-mac-algs (<xref target="ssh-mac-algs-model"/>), and iana-ssh-pu | ine YANG | |||
blic-key-algs | ||||
(<xref target="ssh-pubkey-algs-model"/>). These modules each define YAN | ||||
G | ||||
enumerations providing support for an IANA-maintained algorithm registry .</t> | enumerations providing support for an IANA-maintained algorithm registry .</t> | |||
<t>This document assumes that the four IANA modules exist, | <t>This document assumes that the four IANA modules exist | |||
and presents a script in <xref target="iana-script"/> that IANA | and presents a script in <xref target="iana-script"/> that IANA | |||
may use to generate the YANG modules. This document does not | may use to generate those YANG modules. This document does not | |||
publish initial versions of these four modules. IANA publishes | publish the initial versions of these four modules. IANA publishes | |||
these modules.</t> | these modules.</t> | |||
<section> | <section> | |||
<name>Regarding the IETF Modules</name> | <name>Regarding the Three IETF Modules</name> | |||
<t>The three IETF modules define features and groupings to model "generi c" SSH | <t>The three IETF modules define features and groupings to model "generi c" SSH | |||
clients and SSH servers, where "generic" should be interpreted as "leas t | clients and SSH servers, where "generic" should be interpreted as "leas t | |||
common denominator" rather than "complete." Basic SSH protocol | common denominator" rather than "complete." Support for the basic SSH | |||
(<xref target="RFC4252"/>, <xref target="RFC4253"/>, and <xref target=" | protocol | |||
RFC4254"/>) | <xref target="RFC4252"/> <xref target="RFC4253"/> <xref target="RFC4254 | |||
support is afforded by these modules, leaving configuration of advance | "/> | |||
features | is afforded by these modules, leaving configuration of advanced feature | |||
s | ||||
(e.g., multiple channels) to augmentations made by consuming modules.</ t> | (e.g., multiple channels) to augmentations made by consuming modules.</ t> | |||
<t>It is intended that the YANG groupings will be used by applications | <t>It is intended that the YANG groupings will be used by applications | |||
needing to configure SSH client and server protocol stacks. For | needing to configure SSH client and server protocol stacks. | |||
instance, these groupings are used to help define the data model | For | |||
for NETCONF over SSH <xref target="RFC6242"/> based clients and | instance, these groupings are used to help define the data models | |||
servers in <xref target="I-D.ietf-netconf-netconf-client-server"/>.</t> | in <xref target="I-D.ietf-netconf-netconf-client-server"/>, for | |||
<t>The ietf-ssh-client and ietf-ssh-server YANG modules each define one | clients and servers using the Network Configuration Protocol (NETCONF) o | |||
ver SSH <xref target="RFC6242"/>.</t> | ||||
<t>The "ietf-ssh-client" and "ietf-ssh-server" YANG modules each define | ||||
one | ||||
grouping, which is focused on just SSH-specific configuration, and | grouping, which is focused on just SSH-specific configuration, and | |||
specifically avoids any transport-level configuration, such as what | specifically avoid any transport-level configuration, such as what | |||
ports to listen on or connect to. This affords applications the | ports to listen on or connect to. This affords applications the | |||
opportunity to define their own strategy for how the underlying TCP | opportunity to define their own strategy for how the underlying TCP | |||
connection is established. For instance, applications supporting NETCONF | connection is established. For instance, applications supporting NETCONF | |||
Call Home <xref target="RFC8071"/> could use the "ssh-server-grouping" | Call Home <xref target="RFC8071"/> could use the "ssh-server-grouping" | |||
grouping for the SSH parts it provides, while adding data nodes for the | grouping for the SSH parts it provides while adding data nodes for the | |||
TCP-level call-home configuration.</t> | TCP-level call-home configuration.</t> | |||
<t>The modules defined in this document optionally support <xref target= | <t>The modules defined in this document optionally support <xref target= | |||
"RFC6187"/> enabling X.509v3 certificate based host keys and | "RFC6187"/>, which describes enabling host keys and | |||
public keys.</t> | public keys based on X.509v3 certificates.</t> | |||
</section> | </section> | |||
<section anchor="collective-effort"> | <section anchor="collective-effort"> | |||
<name>Relation to other RFCs</name> | <name>Relation to Other RFCs</name> | |||
<t>This document presents one or more YANG modules <xref target="RFC7950 | <t>This document presents three YANG modules <xref target="RFC7950"/> | |||
"/> | ||||
that are part of a collection of RFCs that work together | that are part of a collection of RFCs that work together | |||
to, ultimately, support the configuration of both the clients | to ultimately support the configuration of both the clients | |||
and servers of both the NETCONF <xref target="RFC6241"/> and | and servers of both the NETCONF <xref target="RFC6241"/> and | |||
RESTCONF <xref target="RFC8040"/> protocols.</t> | RESTCONF <xref target="RFC8040"/> protocols.</t> | |||
<t> The dependency relationship between the primary YANG groupings | <t> The dependency relationship between the primary YANG groupings | |||
defined in the various RFCs is presented in the below diagram. | defined in the various RFCs is presented in the below diagram. | |||
In some cases, a draft may define secondary groupings that | In some cases, a document may define secondary groupings that | |||
introduce dependencies not illustrated in the diagram. | introduce dependencies not illustrated in the diagram. | |||
The labels in the diagram are a shorthand name for the defining | The labels in the diagram are shorthand names for the defining | |||
RFC. The citation reference for shorthand name is provided below | RFCs. The citation references for shorthand names are provided belo | |||
w | ||||
the diagram.</t> | the diagram.</t> | |||
<t>Please note that the arrows in the diagram point from referencer | <t>Please note that the arrows in the diagram point from referencer | |||
to referenced. For example, the "crypto-types" RFC does not | to referenced. For example, the "crypto-types" RFC does not | |||
have any dependencies, whilst the "keystore" RFC depends on the | have any dependencies, whilst the "keystore" RFC depends on the | |||
"crypto-types" RFC.</t> | "crypto-types" RFC.</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
crypto-types | crypto-types | |||
^ ^ | ^ ^ | |||
/ \ | / \ | |||
/ \ | / \ | |||
skipping to change at line 200 ¶ | skipping to change at line 128 ¶ | |||
| | | +-----+ +---------+ | | | | | +-----+ +---------+ | | |||
| | | | | | | | | | | | | | |||
| +-----------|--------|--------------+ | | | | +-----------|--------|--------------+ | | | |||
| | | | | | | | | | | | | | |||
+-----------+ | | | | | | +-----------+ | | | | | | |||
| | | | | | | | | | | | | | |||
| | | | | | | | | | | | | | |||
netconf-client-server restconf-client-server | netconf-client-server restconf-client-server | |||
]]></artwork> | ]]></artwork> | |||
<!-- RFC Editor: is there anyway to flush-left the table in PDF/HTML vie ws? --> | ||||
<table> | <table> | |||
<name>Label in Diagram to RFC Mapping</name> | <name>Label in Diagram to RFC Mapping</name> | |||
<tbody> | <tbody> | |||
<tr> | <tr> | |||
<th>Label in Diagram</th> | <th>Label in Diagram</th> | |||
<th>Originating RFC</th> | <th>Reference</th> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>crypto-types</td> | <td>crypto-types</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-crypto-types"/></td> | <xref target="RFC9640"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>truststore</td> | <td>truststore</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-trust-anchors"/></td> | <xref target="RFC9641"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>keystore</td> | <td>keystore</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-keystore"/></td> | <xref target="RFC9642"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>tcp-client-server</td> | <td>tcp-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-tcp-client-server"/></td> | <xref target="RFC9643"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>ssh-client-server</td> | <td>ssh-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-ssh-client-server"/></td> | RFC9644</td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>tls-client-server</td> | <td>tls-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-tls-client-server"/></td> | <xref target="RFC9645"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>http-client-server</td> | <td>http-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-http-client-server"/></td> | <xref target="I-D.ietf-netconf-http-client-server"/></td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td>netconf-client-server</td> | <td>netconf-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-netconf-client-server"/></td> | <xref target="I-D.ietf-netconf-netconf-client-server"/></td> | |||
skipping to change at line 258 ¶ | skipping to change at line 185 ¶ | |||
<tr> | <tr> | |||
<td>restconf-client-server</td> | <td>restconf-client-server</td> | |||
<td> | <td> | |||
<xref target="I-D.ietf-netconf-restconf-client-server"/></td> | <xref target="I-D.ietf-netconf-restconf-client-server"/></td> | |||
</tr> | </tr> | |||
</tbody> | </tbody> | |||
</table> | </table> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Specification Language</name> | <name>Specification Language</name> | |||
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL | <t> | |||
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU | |||
"MAY", and "OPTIONAL" in this document are to be interpreted as | IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/ | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14> | |||
> | RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
when, and only when, they appear in all capitals, as shown here.</t> | "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | |||
be interpreted as | ||||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
when, and only when, they appear in all capitals, as shown here. | ||||
</t> | ||||
</section> | </section> | |||
<section> | <section> | |||
<name>Adherence to the NMDA</name> | <name>Adherence to the NMDA</name> | |||
<t>This document is compliant with the Network Management Datastore | <t>This document is compliant with the Network Management Datastore | |||
Architecture (NMDA) <xref target="RFC8342"/>. For instance, as | Architecture (NMDA) <xref target="RFC8342"/>. For instance, as | |||
described in <xref target="I-D.ietf-netconf-trust-anchors"/> and | described in <xref target="RFC9641"/> and | |||
<xref target="I-D.ietf-netconf-keystore"/>, trust anchors and keys | <xref target="RFC9642"/>, trust anchors and keys | |||
installed during manufacturing are expected to appear | installed during manufacturing are expected to appear | |||
in <operational> (<xref section="5.3" target="RFC8342"/>), and & | in <operational> (<xref section="5.3" target="RFC8342"/>) and &l | |||
lt;system> | t;system> | |||
<xref target="I-D.ietf-netmod-system-config"/>, if implemented.</t> | <xref target="I-D.ietf-netmod-system-config"/> if implemented.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Conventions</name> | <name>Conventions</name> | |||
<t>Various examples in this document use "BASE64VALUE=" as a | <t>Various examples in this document use "BASE64VALUE=" as a | |||
placeholder value for binary data that has been base64 | placeholder value for binary data that has been base64 | |||
encoded (per <xref section="9.8" target="RFC7950"/>). This | encoded (per <xref section="9.8" target="RFC7950"/>). This | |||
placeholder value is used because real base64 encoded structures | placeholder value is used because real base64-encoded structures | |||
are often many lines long and hence distracting to the example | are often many lines long and hence distracting to the example | |||
being presented.</t> | being presented.</t> | |||
<t> Various examples in this document use the XML | ||||
<xref target="W3C.REC-xml-20081126"/> encoding. Other encodings, such as JSON | ||||
<xref target="RFC8259"/>, | ||||
could alternatively be used.</t> | ||||
<t>Various examples in this document contain long lines that may be folded, | ||||
as described in <xref target="RFC8792"/>.</t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="ssh-common-model"> | <section anchor="ssh-common-model"> | |||
<name>The "ietf-ssh-common" Module</name> | <name>The "ietf-ssh-common" Module</name> | |||
<t>The SSH common model presented in this section contains features | <t>The SSH common model presented in this section is common to both SSH cl | |||
and groupings common to both SSH clients and SSH servers. The | ients and SSH servers. The | |||
"transport-params-grouping" grouping can be used to configure | "transport-params-grouping" grouping can be used to configure | |||
the list of SSH transport algorithms permitted by the SSH client | the list of SSH transport algorithms permitted by the SSH client | |||
or SSH server. The lists of permitted algorithms are in decreasing | or SSH server. The lists of permitted algorithms are in decreasing | |||
order of usage preference. The algorithm that appears first in | order of usage preference. The algorithm that appears first in | |||
the client list that also appears in the server list is the one | the client list that also appears in the server list is the one | |||
that is used for the SSH transport layer connection. The ability | that is used for the SSH transport layer connection. The ability | |||
to restrict the algorithms allowed is provided in this grouping | to restrict the algorithms allowed is provided in this grouping | |||
for SSH clients and SSH servers that are capable of doing so | for SSH clients and SSH servers that are capable of doing so | |||
and may serve to make SSH clients and SSH servers compliant | and may serve to make SSH clients and SSH servers compliant | |||
with security policies.</t> | with security policies.</t> | |||
<section> | <section> | |||
<name>Data Model Overview</name> | <name>Data Model Overview</name> | |||
<t>This section provides an overview of the "ietf-ssh-common" module | <t>This section provides an overview of the "ietf-ssh-common" module in | |||
in terms of its features, identities, and groupings.</t> | terms of its features, identities, groupings, and protocol-accessible nodes.</t> | |||
<section anchor="common-features" toc="exclude"> | <section anchor="common-features" toc="exclude"> | |||
<name>Features</name> | <name>Features</name> | |||
<t>The following diagram lists all the "feature" statements | <t>The following diagram lists all the "feature" statements | |||
defined in the "ietf-ssh-common" module:</t> | defined in the "ietf-ssh-common" module:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
Features: | Features: | |||
+-- ssh-x509-certs | +-- ssh-x509-certs | |||
+-- transport-params | +-- transport-params | |||
+-- asymmetric-key-pair-generation | +-- asymmetric-key-pair-generation | |||
+-- algorithm-discovery | +-- algorithm-discovery | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The diagram above uses syntax that is similar to but not | <t>The diagram above uses syntax that is similar to but not | |||
defined in <xref target="RFC8340"/>.</t> | defined in <xref target="RFC8340"/>.</t> | |||
<t>Please refer to the YANG module for a description of each feature.< /t> | <t>Please refer to the YANG module for a description of each feature.< /t> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Groupings</name> | <name>Groupings</name> | |||
<t>The "ietf-ssh-common" module defines the following "grouping" state ment:</t> | <t>The "ietf-ssh-common" module defines the following "grouping" state ment:</t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>transport-params-grouping</li> | <li>transport-params-grouping</li> | |||
</ul> | </ul> | |||
<t>This grouping is presented in the following subsection.</t> | <t>This grouping is presented in the following subsection.</t> | |||
<section anchor="transport-params-grouping"> | <section anchor="transport-params-grouping"> | |||
<name>The "transport-params-grouping" Grouping</name> | <name>The "transport-params-grouping" Grouping</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he | <t>The following tree diagram <xref target="RFC8340"/> illustrates t he | |||
"transport-params-grouping" grouping:</t> | "transport-params-grouping" grouping:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
grouping transport-params-grouping: | grouping transport-params-grouping: | |||
+-- host-key | +-- host-key | |||
| +-- host-key-alg* ssh-public-key-algorithm | | +-- host-key-alg* ssh-public-key-algorithm | |||
+-- key-exchange | +-- key-exchange | |||
| +-- key-exchange-alg* ssh-key-exchange-algorithm | | +-- key-exchange-alg* ssh-key-exchange-algorithm | |||
+-- encryption | +-- encryption | |||
| +-- encryption-alg* ssh-encryption-algorithm | | +-- encryption-alg* ssh-encryption-algorithm | |||
+-- mac | +-- mac | |||
+-- mac-alg* ssh-mac-algorithm | +-- mac-alg* ssh-mac-algorithm | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>This grouping is used by both the "ssh-client-grouping" and th e | <li>This grouping is used by both the "ssh-client-grouping" and th e | |||
"ssh-server-grouping" groupings defined in <xref target="ssh-cli | "ssh-server-grouping" groupings defined in Sections <xref target | |||
ent-grouping"/> | ="ssh-client-grouping" format="counter"/> | |||
and <xref target="ssh-server-grouping"/>, respectively.</li> | and <xref target="ssh-server-grouping" format="counter"/>, respe | |||
ctively.</li> | ||||
<li>This grouping enables client and server configurations to | <li>This grouping enables client and server configurations to | |||
specify the algorithms that are to be used when establishing | specify the algorithms that are to be used when establishing | |||
SSH sessions.</li> | SSH sessions.</li> | |||
<li>Each list is "ordered-by user".</li> | <li>Each list is "ordered-by user".</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Protocol-accessible Nodes</name> | <name>Protocol-Accessible Nodes</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> lists all the | <t>The following tree diagram <xref target="RFC8340"/> lists all the | |||
protocol-accessible nodes defined in the "ietf-ssh-common" module, | protocol-accessible nodes defined in the "ietf-ssh-common" module | |||
without expanding the "grouping" statements:</t> | without expanding the "grouping" statements:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
module: ietf-ssh-common | module: ietf-ssh-common | |||
+--ro supported-algorithms {algorithm-discovery}? | +--ro supported-algorithms {algorithm-discovery}? | |||
+--ro public-key-algorithms | +--ro public-key-algorithms | |||
| +--ro supported-algorithm* ssh-public-key-algorithm | | +--ro supported-algorithm* ssh-public-key-algorithm | |||
+--ro encryption-algorithms | +--ro encryption-algorithms | |||
| +--ro supported-algorithm* ssh-encryption-algorithm | | +--ro supported-algorithm* ssh-encryption-algorithm | |||
+--ro key-exchange-algorithms | +--ro key-exchange-algorithms | |||
| +--ro supported-algorithm* ssh-key-exchange-algorithm | | +--ro supported-algorithm* ssh-key-exchange-algorithm | |||
+--ro mac-algorithms | +--ro mac-algorithms | |||
+--ro supported-algorithm* ssh-mac-algorithm | +--ro supported-algorithm* ssh-mac-algorithm | |||
skipping to change at line 390 ¶ | skipping to change at line 322 ¶ | |||
| | +---w ks:encrypted-by-grouping | | | +---w ks:encrypted-by-grouping | |||
| +--:(hidden) {ct:hidden-private-keys}? | | +--:(hidden) {ct:hidden-private-keys}? | |||
| +---w hidden? empty | | +---w hidden? empty | |||
+--ro output | +--ro output | |||
+--ro (key-or-hidden)? | +--ro (key-or-hidden)? | |||
+--:(key) | +--:(key) | |||
| +---u ct:asymmetric-key-pair-grouping | | +---u ct:asymmetric-key-pair-grouping | |||
+--:(hidden) | +--:(hidden) | |||
+--ro location? | +--ro location? | |||
instance-identifier | instance-identifier | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>Protocol-accessible nodes are those nodes that are accessible | <li>Protocol-accessible nodes are those nodes that are accessible | |||
when the module is "implemented", as described in <xref section= "5.6.5" target="RFC7950"/>.</li> | when the module is "implemented", as described in <xref section= "5.6.5" target="RFC7950"/>.</li> | |||
<li>The protocol-accessible nodes for the "ietf-ssh-common" module | <li>The protocol-accessible nodes for the "ietf-ssh-common" module | |||
are limited to "supported-algorithms" container, which is constr | are limited to the "supported-algorithms" container, which is co | |||
ained | nstrained | |||
by the "algorithm-discovery" feature, and the RPC "generate-asym | by the "algorithm-discovery" feature, and the "generate-asymmetr | |||
metric-key-pair", | ic-key-pair" RPC, | |||
which is constrained by the "asymmetric-key-pair-generation" fea ture.</li> | which is constrained by the "asymmetric-key-pair-generation" fea ture.</li> | |||
<li>The "encrypted-by-grouping" grouping is discussed in | <li>The "encrypted-by-grouping" grouping is discussed in | |||
<xref section="2.1.3.1" target="I-D.ietf-netconf-keystore"/>.</l i> | <xref section="2.1.3.1" target="RFC9642"/>.</li> | |||
<li>The "asymmetric-key-pair-grouping" grouping is discussed in | <li>The "asymmetric-key-pair-grouping" grouping is discussed in | |||
<xref section="2.1.4.6" target="I-D.ietf-netconf-crypto-types"/>.< /li> | <xref section="2.1.4.6" target="RFC9640"/>.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Example Usage</name> | <name>Example Usage</name> | |||
<t>The following example illustrates the "transport-params-grouping' | <t>The following example illustrates the "transport-params-grouping' | |||
grouping when populated with some data.</t> | grouping when populated with some data.</t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<transport-params | <transport-params | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | |||
<host-key> | <host-key> | |||
<host-key-alg>x509v3-rsa2048-sha256</host-key-alg> | <host-key-alg>x509v3-rsa2048-sha256</host-key-alg> | |||
<host-key-alg>ssh-rsa</host-key-alg> | <host-key-alg>ssh-rsa</host-key-alg> | |||
skipping to change at line 438 ¶ | skipping to change at line 370 ¶ | |||
<encryption-alg>aes256-ctr</encryption-alg> | <encryption-alg>aes256-ctr</encryption-alg> | |||
<encryption-alg>aes192-ctr</encryption-alg> | <encryption-alg>aes192-ctr</encryption-alg> | |||
<encryption-alg>aes128-ctr</encryption-alg> | <encryption-alg>aes128-ctr</encryption-alg> | |||
<encryption-alg>aes256-gcm@openssh.com</encryption-alg> | <encryption-alg>aes256-gcm@openssh.com</encryption-alg> | |||
</encryption> | </encryption> | |||
<mac> | <mac> | |||
<mac-alg>hmac-sha2-256</mac-alg> | <mac-alg>hmac-sha2-256</mac-alg> | |||
<mac-alg>hmac-sha2-512</mac-alg> | <mac-alg>hmac-sha2-512</mac-alg> | |||
</mac> | </mac> | |||
</transport-params> | </transport-params> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following example illustrates operational state data indicating | <t>The following example illustrates operational state data indicating | |||
the SSH algorithms supported by the server.</t> | the SSH algorithms supported by the server.</t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<supported-algorithms | <supported-algorithms | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | |||
<encryption-algorithms> | <encryption-algorithms> | |||
<supported-algorithm>aes256-ctr</supported-algorithm> | <supported-algorithm>aes256-ctr</supported-algorithm> | |||
<supported-algorithm>arcfour256</supported-algorithm> | <supported-algorithm>arcfour256</supported-algorithm> | |||
<supported-algorithm>serpent256-ctr</supported-algorithm> | <supported-algorithm>serpent256-ctr</supported-algorithm> | |||
<supported-algorithm>AEAD_AES_128_GCM</supported-algorithm> | <supported-algorithm>AEAD_AES_128_GCM</supported-algorithm> | |||
<supported-algorithm>AEAD_AES_256_GCM</supported-algorithm> | <supported-algorithm>AEAD_AES_256_GCM</supported-algorithm> | |||
skipping to change at line 482 ¶ | skipping to change at line 414 ¶ | |||
<supported-algorithm>spki-sign-rsa</supported-algorithm> | <supported-algorithm>spki-sign-rsa</supported-algorithm> | |||
<supported-algorithm>pgp-sign-dss</supported-algorithm> | <supported-algorithm>pgp-sign-dss</supported-algorithm> | |||
<supported-algorithm>x509v3-rsa2048-sha256</supported-algorithm> | <supported-algorithm>x509v3-rsa2048-sha256</supported-algorithm> | |||
<supported-algorithm>ecdsa-sha2-nistp256</supported-algorithm> | <supported-algorithm>ecdsa-sha2-nistp256</supported-algorithm> | |||
<supported-algorithm>ecdsa-sha2-1.3.132.0.37</supported-algorith\ | <supported-algorithm>ecdsa-sha2-1.3.132.0.37</supported-algorith\ | |||
m> | m> | |||
<supported-algorithm>ssh-ed25519</supported-algorithm> | <supported-algorithm>ssh-ed25519</supported-algorithm> | |||
<supported-algorithm>ssh-rsa@openssh.com</supported-algorithm> | <supported-algorithm>ssh-rsa@openssh.com</supported-algorithm> | |||
</public-key-algorithms> | </public-key-algorithms> | |||
</supported-algorithms> | </supported-algorithms> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following example illustrates the "generate-asymmetric-key-pair" RPC.</t> | <t>The following example illustrates the "generate-asymmetric-key-pair" RPC.</t> | |||
<t keepWithNext="true">REQUEST</t> | <t keepWithNext="true">REQUEST</t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<rpc message-id="101" | <rpc message-id="101" | |||
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||
<generate-asymmetric-key-pair | <generate-asymmetric-key-pair | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | |||
<algorithm>ecdsa-sha2-nistp256</algorithm> | <algorithm>ecdsa-sha2-nistp256</algorithm> | |||
<num-bits>521</num-bits> | <num-bits>521</num-bits> | |||
<private-key-encoding> | <private-key-encoding> | |||
<encrypted> | <encrypted> | |||
<asymmetric-key-ref>hidden-asymmetric-key</asymmetric-key-re\ | <asymmetric-key-ref>hidden-asymmetric-key</asymmetric-key-re\ | |||
f> | f> | |||
</encrypted> | </encrypted> | |||
</private-key-encoding> | </private-key-encoding> | |||
</generate-asymmetric-key-pair> | </generate-asymmetric-key-pair> | |||
</rpc> | </rpc> | |||
]]></artwork> | ]]></sourcecode> | |||
<t keepWithNext="true">RESPONSE</t> | <t keepWithNext="true">RESPONSE</t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<rpc-reply message-id="101" | <rpc-reply message-id="101" | |||
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
xmlns:sshcmn="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | xmlns:sshcmn="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | |||
<sshcmn:public-key-format>ct:subject-public-key-info-format</sshcm\ | <sshcmn:public-key-format>ct:subject-public-key-info-format</sshcm\ | |||
n:public-key-format> | n:public-key-format> | |||
<sshcmn:public-key>BASE64VALUE=</sshcmn:public-key> | <sshcmn:public-key>BASE64VALUE=</sshcmn:public-key> | |||
<sshcmn:private-key-format>ct:ec-private-key-format</sshcmn:privat\ | <sshcmn:private-key-format>ct:ec-private-key-format</sshcmn:privat\ | |||
e-key-format> | e-key-format> | |||
<sshcmn:cleartext-private-key>BASE64VALUE=</sshcmn:cleartext-priva\ | <sshcmn:cleartext-private-key>BASE64VALUE=</sshcmn:cleartext-priva\ | |||
te-key> | te-key> | |||
</rpc-reply> | </rpc-reply> | |||
]]></artwork> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="ssh-common-yang-module"> | <section anchor="ssh-common-yang-module"> | |||
<name>YANG Module</name> | <name>YANG Module</name> | |||
<t>This YANG module has normative references to <xref target="RFC4253"/> | <t>This YANG module has normative references to <xref target="RFC4250"/> | |||
, | , <xref target="RFC4253"/>, | |||
<xref target="RFC4344"/>, <xref target="RFC4419"/>, <xref target="RFC565 | <xref target="RFC6187"/>, and <xref target="FIPS_186-5"/>.</t> | |||
6"/>, | <sourcecode type="yang" name="ietf-ssh-common@2024-03-16.yang" markers=" | |||
<xref target="RFC6187"/>, <xref target="RFC6668"/>, and <xref target="FI | true"><![CDATA[ | |||
PS_186-6"/>.</t> | ||||
<t keepWithNext="true"><CODE BEGINS> file "ietf-ssh-common@2024-03 | ||||
-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module ietf-ssh-common { | module ietf-ssh-common { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; | |||
prefix sshcmn; | prefix sshcmn; | |||
import ietf-crypto-types { | ||||
prefix ct; | ||||
reference | ||||
"RFC 9640: YANG Data Types and Groupings for Cryptography"; | ||||
} | ||||
import ietf-keystore { | ||||
prefix ks; | ||||
reference | ||||
"RFC 9642: A YANG Data Model for a Keystore"; | ||||
} | ||||
import iana-ssh-encryption-algs { | import iana-ssh-encryption-algs { | |||
prefix sshea; | prefix sshea; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
import iana-ssh-key-exchange-algs { | import iana-ssh-key-exchange-algs { | |||
prefix sshkea; | prefix sshkea; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
import iana-ssh-mac-algs { | import iana-ssh-mac-algs { | |||
prefix sshma; | prefix sshma; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
import iana-ssh-public-key-algs { | import iana-ssh-public-key-algs { | |||
prefix sshpka; | prefix sshpka; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | ||||
import ietf-crypto-types { | ||||
prefix ct; | ||||
reference | ||||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | ||||
} | ||||
import ietf-keystore { | ||||
prefix ks; | ||||
reference | ||||
"RFC CCCC: A YANG Data Model for a Keystore"; | ||||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG Web: https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
WG List: NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||
Author: Gary Wu <mailto:garywu@cisco.com>"; | Author: Gary Wu <mailto:garywu@cisco.com>"; | |||
description | description | |||
"This module defines a common features and groupings for | "This module defines common features and groupings for | |||
Secure Shell (SSH). | Secure Shell (SSH). | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC EEEE | This version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Features | // Features | |||
feature ssh-x509-certs { | feature ssh-x509-certs { | |||
description | description | |||
"X.509v3 certificates are supported for SSH."; | "X.509v3 certificates are supported for SSH."; | |||
reference | reference | |||
"RFC 6187: X.509v3 Certificates for Secure Shell | "RFC 6187: X.509v3 Certificates for Secure Shell | |||
Authentication"; | Authentication"; | |||
skipping to change at line 645 ¶ | skipping to change at line 575 ¶ | |||
} | } | |||
// Typedefs | // Typedefs | |||
typedef ssh-public-key-algorithm { | typedef ssh-public-key-algorithm { | |||
type union { | type union { | |||
type sshpka:ssh-public-key-algorithm; | type sshpka:ssh-public-key-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the public key algorithm to be | "A type that enables the public key algorithm to be | |||
either an IANA-maintained public key algorithm in | either an IANA-maintained public key algorithm in | |||
the 'iana-ssh-public-key-algs' YANG module (RFC EEEE), | the 'iana-ssh-public-key-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-key-exchange-algorithm { | typedef ssh-key-exchange-algorithm { | |||
type union { | type union { | |||
type sshkea:ssh-key-exchange-algorithm; | type sshkea:ssh-key-exchange-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC 4250."; | |||
4250."; | ||||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC 4250."; | |||
4250."; | ||||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the key exchange algorithm to be | "A type that enables the key exchange algorithm to be | |||
either an IANA-maintained key exchange algorithm in | either an IANA-maintained key exchange algorithm in | |||
the 'iana-ssh-key-exchange-algs' YANG module (RFC EEEE), | the 'iana-ssh-key-exchange-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-encryption-algorithm { | typedef ssh-encryption-algorithm { | |||
type union { | type union { | |||
type sshea:ssh-encryption-algorithm; | type sshea:ssh-encryption-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the encryption algorithm to be | "A type that enables the encryption algorithm to be | |||
either an IANA-maintained encryption algorithm in | either an IANA-maintained encryption algorithm in | |||
the 'iana-ssh-encryption-algs' YANG module (RFC EEEE), | the 'iana-ssh-encryption-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-mac-algorithm { | typedef ssh-mac-algorithm { | |||
type union { | type union { | |||
type sshma:ssh-mac-algorithm; | type sshma:ssh-mac-algorithm; | |||
type string { | type string { | |||
length "1..64" { | length "1..64" { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
pattern ".*@.*" { | pattern '.*@.*' { | |||
description | description | |||
"Non IANA-maintained algorithms must include the | "Non-IANA-maintained algorithms must include the | |||
'at-sign' (@) in them, per Section 4.6.1 of RFC | at sign (@) in them, per Section 4.6.1 of RFC | |||
4250."; | 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers"; | "RFC 4250: The Secure Shell (SSH) Protocol Assigned | |||
Numbers"; | ||||
} | } | |||
} | } | |||
} | } | |||
description | description | |||
"A type that enables the MAC algorithm to be | "A type that enables the message authentication code (MAC) | |||
either an IANA-maintained MAC algorithm in | algorithm to be either an IANA-maintained MAC algorithm | |||
the 'iana-ssh-mac-algs' YANG module (RFC EEEE), | in the 'iana-ssh-mac-algs' YANG module (RFC 9644) | |||
or a locally-defined algorithm, per Section 4.6.1 | or a locally defined algorithm, per Section 4.6.1 | |||
of RFC 4250."; | of RFC 4250."; | |||
reference | reference | |||
"RFC 4250: SSH Protocol Assigned Numbers | "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers | |||
RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping transport-params-grouping { | grouping transport-params-grouping { | |||
description | description | |||
"A reusable grouping for SSH transport parameters."; | "A reusable grouping for SSH transport parameters."; | |||
reference | reference | |||
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | |||
container host-key { | container host-key { | |||
description | description | |||
"Parameters regarding host key."; | "Parameters regarding host key."; | |||
leaf-list host-key-alg { | leaf-list host-key-alg { | |||
type ssh-public-key-algorithm; | type ssh-public-key-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable host key algorithms in order of decreasing | "Acceptable host key algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable host key algorithms are implementation- | elements), the acceptable host key algorithms are | |||
defined."; | implementation-defined."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
} | } | |||
container key-exchange { | container key-exchange { | |||
description | description | |||
"Parameters regarding key exchange."; | "Parameters regarding key exchange."; | |||
leaf-list key-exchange-alg { | leaf-list key-exchange-alg { | |||
type ssh-key-exchange-algorithm; | type ssh-key-exchange-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable key exchange algorithms in order of decreasing | "Acceptable key exchange algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable key exchange algorithms are implementation | elements), the acceptable key exchange algorithms are | |||
defined."; | implementation-defined."; | |||
} | } | |||
} | } | |||
container encryption { | container encryption { | |||
description | description | |||
"Parameters regarding encryption."; | "Parameters regarding encryption."; | |||
leaf-list encryption-alg { | leaf-list encryption-alg { | |||
type ssh-encryption-algorithm; | type ssh-encryption-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable encryption algorithms in order of decreasing | "Acceptable encryption algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable encryption algorithms are implementation | elements), the acceptable encryption algorithms are | |||
defined."; | implementation-defined."; | |||
} | } | |||
} | } | |||
container mac { | container mac { | |||
description | description | |||
"Parameters regarding message authentication code (MAC)."; | "Parameters regarding message authentication code (MAC)."; | |||
leaf-list mac-alg { | leaf-list mac-alg { | |||
type ssh-mac-algorithm; | type ssh-mac-algorithm; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"Acceptable MAC algorithms in order of decreasing | "Acceptable MAC algorithms in order of decreasing | |||
preference. | preference. | |||
If this leaf-list is not configured (has zero elements) | If this leaf-list is not configured (has zero | |||
the acceptable MAC algorithms are implementation- | elements), the acceptable MAC algorithms are | |||
defined."; | implementation-defined."; | |||
} | } | |||
} | } | |||
} | } | |||
// Protocol-accessible Nodes | // Protocol-accessible Nodes | |||
container supported-algorithms { | container supported-algorithms { | |||
if-feature "algorithm-discovery"; | if-feature "algorithm-discovery"; | |||
config false; | config false; | |||
description | description | |||
skipping to change at line 910 ¶ | skipping to change at line 846 ¶ | |||
type ssh-public-key-algorithm; | type ssh-public-key-algorithm; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"The algorithm to be used when generating the key."; | "The algorithm to be used when generating the key."; | |||
} | } | |||
leaf num-bits { | leaf num-bits { | |||
type uint16; | type uint16; | |||
description | description | |||
"Specifies the number of bits in the key to create. | "Specifies the number of bits in the key to create. | |||
For RSA keys, the minimum size is 1024 bits and | For RSA keys, the minimum size is 1024 bits and | |||
the default is 3072 bits. Generally, 3072 bits is | the default is 3072 bits. Generally, 3072 bits is | |||
considered sufficient. DSA keys must be exactly 1024 | considered sufficient. DSA keys must be exactly 1024 | |||
bits as specified by FIPS 186-6. For ECDSA keys, the | bits, as specified by FIPS 186-5. For Elliptic Curve | |||
Digital Signature Algorithm (ECDSA) keys, the | ||||
'num-bits' value determines the key length by selecting | 'num-bits' value determines the key length by selecting | |||
from one of three elliptic curve sizes: 256, 384 or | from one of three elliptic curve sizes: 256, 384, or | |||
521 bits. Attempting to use bit lengths other than | 521 bits. Attempting to use bit lengths other than | |||
these three values for ECDSA keys will fail. ECDSA-SK, | these three values for ECDSA keys will fail. ECDSA-SK, | |||
Ed25519 and Ed25519-SK keys have a fixed length and | Ed25519, and Ed25519-SK keys have a fixed length, and | |||
thus the 'num-bits' value is not specified."; | thus, the 'num-bits' value is not specified."; | |||
reference | reference | |||
"FIPS 186-6: Digital Signature Standard (DSS)"; | "FIPS 186-5: Digital Signature Standard (DSS)"; | |||
} | } | |||
container private-key-encoding { | container private-key-encoding { | |||
description | description | |||
"Indicates how the private key is to be encoded."; | "Indicates how the private key is to be encoded."; | |||
choice private-key-encoding { | choice private-key-encoding { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice amongst optional private key handling."; | "A choice amongst optional private key handling."; | |||
case cleartext { | case cleartext { | |||
if-feature "ct:cleartext-private-keys"; | if-feature "ct:cleartext-private-keys"; | |||
skipping to change at line 942 ¶ | skipping to change at line 879 ¶ | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be returned | "Indicates that the private key is to be returned | |||
as a cleartext value."; | as a cleartext value."; | |||
} | } | |||
} | } | |||
case encrypted { | case encrypted { | |||
if-feature "ct:encrypted-private-keys"; | if-feature "ct:encrypted-private-keys"; | |||
container encrypted { | container encrypted { | |||
description | description | |||
"Indicates that the private key is to be encrypted | "Indicates that the private key is to be encrypted | |||
using the specified symmetric or asymmetric key."; | using the specified symmetric or asymmetric key."; | |||
uses ks:encrypted-by-grouping; | uses ks:encrypted-by-grouping; | |||
} | } | |||
} | } | |||
case hidden { | case hidden { | |||
if-feature "ct:hidden-private-keys"; | if-feature "ct:hidden-private-keys"; | |||
leaf hidden { | leaf hidden { | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the private key is to be hidden. | "Indicates that the private key is to be hidden. | |||
Unlike the 'cleartext' and 'encrypt' options, the | Unlike the 'cleartext' and 'encrypt' options, the | |||
key returned is a placeholder for an internally | key returned is a placeholder for an internally | |||
stored key. See the 'Support for Built-in Keys' | stored key. See the 'Support for Built-in Keys' | |||
section in RFC CCCC for information about hidden | section in RFC 9642 for information about hidden | |||
keys. | keys. | |||
It is expected that the server will instantiate | It is expected that the server will instantiate | |||
the hidden key in the same location where built-in | the hidden key in the same location where built-in | |||
keys are located. Rather than return the key, | keys are located. Rather than returning the key, | |||
just the key's location is returned in the output."; | just the key's location is returned in the output."; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
output { | output { | |||
choice key-or-hidden { | choice key-or-hidden { | |||
case key { | case key { | |||
uses ct:asymmetric-key-pair-grouping; | uses ct:asymmetric-key-pair-grouping; | |||
skipping to change at line 990 ¶ | skipping to change at line 927 ¶ | |||
} | } | |||
description | description | |||
"The output can be either a key (for cleartext and | "The output can be either a key (for cleartext and | |||
encrypted keys) or the location to where the key | encrypted keys) or the location to where the key | |||
was created (for hidden keys)."; | was created (for hidden keys)."; | |||
} | } | |||
} | } | |||
} // end generate-asymmetric-key-pair | } // end generate-asymmetric-key-pair | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="ssh-client-model"> | <section anchor="ssh-client-model"> | |||
<name>The "ietf-ssh-client" Module</name> | <name>The "ietf-ssh-client" Module</name> | |||
<t>This section defines a YANG 1.1 <xref target="RFC7950"/> module called | <t>This section defines a YANG 1.1 <xref target="RFC7950"/> module called | |||
"ietf-ssh-client". A high-level overview of the module is provided in | "ietf-ssh-client". A high-level overview of the module is provided in | |||
<xref target="client-overview"/>. Examples illustrating the module's use | <xref target="client-overview"/>. Examples illustrating the module's use | |||
are provided in <xref target="client-examples">Examples</xref>. The YANG | are provided in <xref target="client-examples"/> ("Example Usage"). The YANG | |||
module itself is defined in <xref target="client-yang-module"/>.</t> | module itself is defined in <xref target="client-yang-module"/>.</t> | |||
<section anchor="client-overview"> | <section anchor="client-overview"> | |||
<name>Data Model Overview</name> | <name>Data Model Overview</name> | |||
<t>This section provides an overview of the "ietf-ssh-client" module | <t>This section provides an overview of the "ietf-ssh-client" module | |||
in terms of its features and groupings.</t> | in terms of its features and groupings.</t> | |||
<section anchor="client-features" toc="exclude"> | <section anchor="client-features" toc="exclude"> | |||
<name>Features</name> | <name>Features</name> | |||
<t>The following diagram lists all the "feature" statements | <t>The following diagram lists all the "feature" statements | |||
defined in the "ietf-ssh-client" module:</t> | defined in the "ietf-ssh-client" module:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
Features: | Features: | |||
+-- ssh-client-keepalives | +-- ssh-client-keepalives | |||
+-- client-ident-password | +-- client-ident-password | |||
+-- client-ident-publickey | +-- client-ident-publickey | |||
+-- client-ident-hostbased | +-- client-ident-hostbased | |||
+-- client-ident-none | +-- client-ident-none | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The diagram above uses syntax that is similar to but not | <t>The diagram above uses syntax that is similar to but not | |||
defined in <xref target="RFC8340"/>.</t> | defined in <xref target="RFC8340"/>.</t> | |||
<t>Please refer to the YANG module for a description of each feature.< /t> | <t>Please refer to the YANG module for a description of each feature.< /t> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Groupings</name> | <name>Groupings</name> | |||
<t>The "ietf-ssh-client" module defines the following "grouping" state ment:</t> | <t>The "ietf-ssh-client" module defines the following "grouping" state ment:</t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>ssh-client-grouping</li> | <li>ssh-client-grouping</li> | |||
</ul> | </ul> | |||
<t>This grouping is presented in the following subsection.</t> | <t>This grouping is presented in the following subsection.</t> | |||
<section anchor="ssh-client-grouping"> | <section anchor="ssh-client-grouping"> | |||
<name>The "ssh-client-grouping" Grouping</name> | <name>The "ssh-client-grouping" Grouping</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he | <t>The following tree diagram <xref target="RFC8340"/> illustrates t he | |||
"ssh-client-grouping" grouping:</t> | "ssh-client-grouping" grouping:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
grouping ssh-client-grouping: | grouping ssh-client-grouping: | |||
+-- client-identity | +-- client-identity | |||
| +-- username? string | | +-- username? string | |||
| +-- public-key! {client-ident-publickey}? | | +-- public-key! {client-ident-publickey}? | |||
| | +---u ks:inline-or-keystore-asymmetric-key-grouping | | | +---u ks:inline-or-keystore-asymmetric-key-grouping | |||
| +-- password! {client-ident-password}? | | +-- password! {client-ident-password}? | |||
| | +---u ct:password-grouping | | | +---u ct:password-grouping | |||
| +-- hostbased! {client-ident-hostbased}? | | +-- hostbased! {client-ident-hostbased}? | |||
skipping to change at line 1060 ¶ | skipping to change at line 996 ¶ | |||
| | +---u ts:inline-or-truststore-public-keys-grouping | | | +---u ts:inline-or-truststore-public-keys-grouping | |||
| +-- ca-certs! {sshcmn:ssh-x509-certs}? | | +-- ca-certs! {sshcmn:ssh-x509-certs}? | |||
| | +---u ts:inline-or-truststore-certs-grouping | | | +---u ts:inline-or-truststore-certs-grouping | |||
| +-- ee-certs! {sshcmn:ssh-x509-certs}? | | +-- ee-certs! {sshcmn:ssh-x509-certs}? | |||
| +---u ts:inline-or-truststore-certs-grouping | | +---u ts:inline-or-truststore-certs-grouping | |||
+-- transport-params {sshcmn:transport-params}? | +-- transport-params {sshcmn:transport-params}? | |||
| +---u sshcmn:transport-params-grouping | | +---u sshcmn:transport-params-grouping | |||
+-- keepalives! {ssh-client-keepalives}? | +-- keepalives! {ssh-client-keepalives}? | |||
+-- max-wait? uint16 | +-- max-wait? uint16 | |||
+-- max-attempts? uint8 | +-- max-attempts? uint8 | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>The "client-identity" node configures a "username" and authent ication methods, | <li>The "client-identity" node configures a "username" and authent ication methods, | |||
each enabled by a "feature" statement defined in <xref target="c lient-features"/>.</li> | each enabled by a "feature" statement defined in <xref target="c lient-features"/>.</li> | |||
<li>The "server-authentication" node configures trust anchors for | <li>The "server-authentication" node configures trust anchors for | |||
authenticating the SSH server, with each option enabled by a "fe ature" statement.</li> | authenticating the SSH server, with each option enabled by a "fe ature" statement.</li> | |||
<li>The "transport-params" node, which must be enabled by a featur e, configures | <li>The "transport-params" node, which must be enabled by a featur e, configures | |||
parameters for the SSH sessions established by this configuratio n.</li> | parameters for the SSH sessions established by this configuratio n.</li> | |||
<li>The "keepalives" node, which must be enabled by a feature, con figures | <li>The "keepalives" node, which must be enabled by a feature, con figures | |||
a "presence" container for testing the aliveness of the SSH serv er. The | a "presence" container for testing the aliveness of the SSH serv er. The | |||
aliveness-test occurs at the SSH protocol layer.</li> | aliveness-test occurs at the SSH protocol layer.</li> | |||
<li> | <li> | |||
<t>For the referenced grouping statement(s): | <t>For the referenced grouping statements: | |||
</t> | </t> | |||
<ul spacing="compact"> | <ul spacing="normal"> | |||
<li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | <li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9642"/>.</li > | |||
<li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | <li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.6" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.6" target="RFC9642"/>.</li > | |||
<li>The "inline-or-truststore-public-keys-grouping" grouping i s | <li>The "inline-or-truststore-public-keys-grouping" grouping i s | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9641"/>.</li > | |||
<li>The "inline-or-truststore-certs-grouping" grouping is | <li>The "inline-or-truststore-certs-grouping" grouping is | |||
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.3" target="RFC9641"/>.</li > | |||
<li>The "transport-params-grouping" grouping is discussed in | <li>The "transport-params-grouping" grouping is discussed in | |||
<xref target="transport-params-grouping"/> in this document.</ li> | <xref target="transport-params-grouping"/> in this document.</ li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Protocol-accessible Nodes</name> | <name>Protocol-Accessible Nodes</name> | |||
<t>The "ietf-ssh-client" module defines only "grouping" statements tha t are | <t>The "ietf-ssh-client" module defines only "grouping" statements tha t are | |||
used by other modules to instantiate protocol-accessible nodes. Th us this | used by other modules to instantiate protocol-accessible nodes. Th us, this | |||
module, when implemented, does not itself define any protocol-access ible nodes.</t> | module, when implemented, does not itself define any protocol-access ible nodes.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="client-examples"> | <section anchor="client-examples"> | |||
<name>Example Usage</name> | <name>Example Usage</name> | |||
<t>This section presents two examples showing the "ssh-client-grouping" | <t>This section presents two examples showing the "ssh-client-grouping" | |||
grouping populated with some data. These examples are effectively the sa | grouping populated with some data. These examples are effectively the sa | |||
me | me, | |||
except the first configures the client identity using a inlined key | except the first configures the client identity using an inlined key, | |||
while the second uses a key configured in a keystore. Both examples | while the second uses a key configured in a keystore. Both examples | |||
are consistent with the examples presented in | are consistent with the examples presented in | |||
<xref section="2.2.1" target="I-D.ietf-netconf-trust-anchors"/> and | <xref section="2.2.1" target="RFC9641"/> and | |||
<xref section="2.2.1" target="I-D.ietf-netconf-keystore"/>.</t> | <xref section="2.2.1" target="RFC9642"/>.</t> | |||
<t>The following configuration example uses inline-definitions for the | <t>The following configuration example uses inline-definitions for the | |||
client identity and server authentication: | client identity and server authentication: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-client | <ssh-client | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-client" | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-client" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- how this client will authenticate itself to the server --> | <!-- how this client will authenticate itself to the server --> | |||
skipping to change at line 1182 ¶ | skipping to change at line 1118 ¶ | |||
</inline-definition> | </inline-definition> | |||
</ee-certs> | </ee-certs> | |||
</server-authentication> | </server-authentication> | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-client> | </ssh-client> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following configuration example uses central-keystore-references for the | <t>The following configuration example uses central-keystore-references for the | |||
client identity and central-truststore-references for server authentic ation: | client identity and central-truststore-references for server authentic ation | |||
from the keystore: | from the keystore: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-client | <ssh-client | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-client" | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-client" | |||
xmlns:algs="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | xmlns:algs="urn:ietf:params:xml:ns:yang:ietf-ssh-common"> | |||
<!-- how this client will authenticate itself to the server --> | <!-- how this client will authenticate itself to the server --> | |||
skipping to change at line 1234 ¶ | skipping to change at line 1170 ¶ | |||
-truststore-reference> | -truststore-reference> | |||
</ee-certs> | </ee-certs> | |||
</server-authentication> | </server-authentication> | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-client> | </ssh-client> | |||
]]></artwork> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="client-yang-module"> | <section anchor="client-yang-module"> | |||
<name>YANG Module</name> | <name>YANG Module</name> | |||
<t>This YANG module has normative references to <xref target="RFC4252"/> , | <t>This YANG module has normative references to <xref target="RFC4252"/> , | |||
<xref target="RFC4254"/>, <xref target="RFC8341"/>, <xref target="I-D.ie | <xref target="RFC4254"/>, <xref target="RFC8341"/>, <xref target="RFC964 | |||
tf-netconf-crypto-types"/>, | 0"/>, | |||
<xref target="I-D.ietf-netconf-trust-anchors"/>, and <xref target="I-D.i | <xref target="RFC9641"/>, and <xref target="RFC9642"/>.</t> | |||
etf-netconf-keystore"/>.</t> | <sourcecode type="yang" markers="true" name="ietf-ssh-client@2024-03-16. | |||
<t keepWithNext="true"><CODE BEGINS> file "ietf-ssh-client@2024-03 | yang"><![CDATA[ | |||
-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module ietf-ssh-client { | module ietf-ssh-client { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client"; | |||
prefix sshc; | prefix sshc; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-ssh-common { | import ietf-ssh-common { | |||
prefix sshcmn; | prefix sshcmn; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG Web: https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
WG List: NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | |||
description | description | |||
"This module defines a reusable grouping for SSH clients that | "This module defines a reusable grouping for SSH clients that | |||
can be used as a basis for specific SSH client instances. | can be used as a basis for specific SSH client instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC EEEE | This version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Features | // Features | |||
feature ssh-client-keepalives { | feature ssh-client-keepalives { | |||
description | description | |||
"Per socket SSH keepalive parameters are configurable for | "SSH keepalive parameters are configurable for | |||
SSH clients on the server implementing this feature."; | SSH clients on the server implementing this feature."; | |||
} | } | |||
feature client-ident-publickey { | feature client-ident-publickey { | |||
description | description | |||
"Indicates that the 'publickey' authentication type, per | "Indicates that the 'publickey' authentication type, per | |||
RFC 4252, is supported for client identification. | RFC 4252, is supported for client identification. | |||
The 'publickey' authentication type is required by | The 'publickey' authentication type is required by | |||
RFC 4252, but common implementations allow it to | RFC 4252, but common implementations allow it to | |||
be disabled."; | be disabled."; | |||
skipping to change at line 1370 ¶ | skipping to change at line 1305 ¶ | |||
It is NOT RECOMMENDED to enable this feature."; | It is NOT RECOMMENDED to enable this feature."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping ssh-client-grouping { | grouping ssh-client-grouping { | |||
description | description | |||
"A reusable grouping for configuring a SSH client without | "A reusable grouping for configuring an SSH client without | |||
any consideration for how an underlying TCP session is | any consideration for how an underlying TCP session is | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a nesting of 'uses' statements will | node names such that a nesting of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'ssh-client-parameters'). This model purposely does | 'ssh-client-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container client-identity { | container client-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"The username and authentication methods for the client. | "The username and authentication methods for the client. | |||
The authentication methods are unordered. Clients may | The authentication methods are unordered. Clients may | |||
initially send any configured method or, per RFC 4252, | initially send any configured method or, per Section 5.2 of | |||
Section 5.2, send the 'none' method to prompt the server | RFC 4252, send the 'none' method to prompt the server | |||
to provide a list of productive methods. Whenever a | to provide a list of productive methods. Whenever a | |||
choice amongst methods arises, implementations SHOULD | choice amongst methods arises, implementations SHOULD | |||
use a default ordering that prioritizes automation | use a default ordering that prioritizes automation | |||
over human-interaction."; | over human interaction."; | |||
leaf username { | leaf username { | |||
type string; | type string; | |||
description | description | |||
"The username of this user. This will be the username | "The username of this user. This will be the username | |||
used, for instance, to log into an SSH server."; | used, for instance, to log into an SSH server."; | |||
} | } | |||
container public-key { | container public-key { | |||
if-feature "client-ident-publickey"; | if-feature "client-ident-publickey"; | |||
presence | presence | |||
"Indicates that publickey-based authentication has been | "Indicates that public-key-based authentication has been | |||
configured. This statement is present so the mandatory | configured. This statement is present so the mandatory | |||
descendant nodes do not imply that this node must be | descendant nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A locally-defined or referenced asymmetric key | "A locally defined or referenced asymmetric key | |||
pair to be used for client identification."; | pair to be used for client identification."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:ssh-public-key-format")'; | + '(public-key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
+ 'from-or-self(deref(.)/../ks:public-key-format, ' | + 'from-or-self(deref(.)/../ks:public-key-format, ' | |||
+ '"ct:ssh-public-key-format")'; | + '"ct:ssh-public-key-format")'; | |||
skipping to change at line 1440 ¶ | skipping to change at line 1375 ¶ | |||
descendant nodes do not imply that this node must be | descendant nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A password to be used to authenticate the client's | "A password to be used to authenticate the client's | |||
identity."; | identity."; | |||
uses ct:password-grouping; | uses ct:password-grouping; | |||
} | } | |||
container hostbased { | container hostbased { | |||
if-feature "client-ident-hostbased"; | if-feature "client-ident-hostbased"; | |||
presence | presence | |||
"Indicates that hostbased authentication is configured. | "Indicates that host-based authentication is configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A locally-defined or referenced asymmetric key | "A locally defined or referenced asymmetric key | |||
pair to be used for host identification."; | pair to be used for host identification."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self(' | must 'not(public-key-format) or derived-from-or-self(' | |||
+ 'public-key-format, "ct:ssh-public-key-format")'; | + 'public-key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
+ 'from-or-self(deref(.)/../ks:public-key-format, ' | + 'from-or-self(deref(.)/../ks:public-key-format, ' | |||
+ '"ct:ssh-public-key-format")'; | + '"ct:ssh-public-key-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
leaf none { | leaf none { | |||
if-feature "client-ident-none"; | if-feature "client-ident-none"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that 'none' algorithm is used for client | "Indicates that the 'none' algorithm is used for client | |||
identification."; | identification."; | |||
} | } | |||
container certificate { | container certificate { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that certificate-based authentication has been | "Indicates that certificate-based authentication has been | |||
configured. This statement is present so the mandatory | configured. This statement is present so the mandatory | |||
descendant nodes do not imply that this node must be | descendant nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A locally-defined or referenced certificate | "A locally defined or referenced certificate | |||
to be used for client identification."; | to be used for client identification."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses | uses | |||
ks:inline-or-keystore-end-entity-cert-with-key-grouping { | ks:inline-or-keystore-end-entity-cert-with-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self(' | must 'not(public-key-format) or derived-from-or-self(' | |||
+ 'public-key-format, "ct:subject-public-key-info-' | + 'public-key-format, "ct:subject-public-key-info-' | |||
+ 'format")'; | + 'format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or derived-' | must 'not(deref(.)/../ks:public-key-format) or derived-' | |||
skipping to change at line 1515 ¶ | skipping to change at line 1450 ¶ | |||
presence | presence | |||
"Indicates that the SSH host key have been configured. | "Indicates that the SSH host key have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A bag of SSH host keys used by the SSH client to | "A bag of SSH host keys used by the SSH client to | |||
authenticate SSH server host keys. A server host key | authenticate SSH server host keys. A server host key | |||
is authenticated if it is an exact match to a | is authenticated if it is an exact match to a | |||
configured SSH host key."; | configured SSH host key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine | refine | |||
"inline-or-truststore/inline/inline-definition/public" | "inline-or-truststore/inline/inline-definition/public" | |||
+ "-key" { | + "-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:ssh-public-key-format")'; | + ' "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
skipping to change at line 1538 ¶ | skipping to change at line 1473 ¶ | |||
} | } | |||
} | } | |||
} | } | |||
container ca-certs { | container ca-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that the CA certificates have been configured. | "Indicates that the CA certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of Certification Authority (CA) certificates used by | |||
the SSH client to authenticate SSH servers. A server | the SSH client to authenticate SSH servers. A server | |||
is authenticated if its certificate has a valid chain | is authenticated if its certificate has a valid chain | |||
of trust to a configured CA certificate."; | of trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that the EE certificates have been configured. | "Indicates that the EE certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be configured."; | nodes do not imply that this node must be configured."; | |||
description | description | |||
"A set of end-entity certificates used by the SSH client | "A set of end-entity (EE) certificates used by the SSH | |||
to authenticate SSH servers. A server is authenticated | client to authenticate SSH servers. A server is | |||
if its certificate is an exact match to a configured | authenticated if its certificate is an exact match to a | |||
end-entity certificate."; | configured end-entity certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
} // container server-authentication | } // container server-authentication | |||
container transport-params { | container transport-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "sshcmn:transport-params"; | if-feature "sshcmn:transport-params"; | |||
description | description | |||
"Configurable parameters of the SSH transport layer."; | "Configurable parameters of the SSH transport layer."; | |||
uses sshcmn:transport-params-grouping; | uses sshcmn:transport-params-grouping; | |||
} // container transport-parameters | } // container transport-parameters | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "ssh-client-keepalives"; | if-feature "ssh-client-keepalives"; | |||
presence | presence | |||
"Indicates that the SSH client proactively tests the | "Indicates that the SSH client proactively tests the | |||
aliveness of the remote SSH server."; | aliveness of the remote SSH server."; | |||
description | description | |||
"Configures the keep-alive policy, to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the SSH server. An unresponsive SSH | the aliveness of the SSH server. An unresponsive SSH | |||
server is dropped after approximately max-wait * | server is dropped after approximately max-wait * | |||
max-attempts seconds. Per Section 4 of RFC 4254, | max-attempts seconds. Per Section 4 of RFC 4254, | |||
the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST | the SSH client SHOULD send an SSH_MSG_GLOBAL_REQUEST | |||
message with a purposely nonexistent 'request name' | message with a purposely nonexistent 'request name' | |||
value (e.g., keepalive@ietf.org) and the 'want reply' | value (e.g., keepalive@example.com) and the 'want reply' | |||
value set to '1'."; | value set to '1'."; | |||
reference | reference | |||
"RFC 4254: The Secure Shell (SSH) Connection Protocol"; | "RFC 4254: The Secure Shell (SSH) Connection Protocol"; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which if | "Sets the amount of time in seconds after which an | |||
no data has been received from the SSH server, a | SSH-level message will be sent to test the aliveness | |||
SSH-level message will be sent to test the | of the SSH server if no data has been received from the | |||
aliveness of the SSH server."; | SSH server."; | |||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the SSH server before assuming the SSH server is | the SSH server before assuming the SSH server is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} // container keepalives | } // container keepalives | |||
} // grouping ssh-client-grouping | } // grouping ssh-client-grouping | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="ssh-server-model"> | <section anchor="ssh-server-model"> | |||
<name>The "ietf-ssh-server" Module</name> | <name>The "ietf-ssh-server" Module</name> | |||
<t>This section defines a YANG 1.1 module called | <t>This section defines a YANG 1.1 module called | |||
"ietf-ssh-server". A high-level overview of the module is provided in | "ietf-ssh-server". A high-level overview of the module is provided in | |||
<xref target="server-overview"/>. Examples illustrating the module's use | <xref target="server-overview"/>. Examples illustrating the module's use | |||
are provided in <xref target="server-examples">Examples</xref>. The YANG | are provided in <xref target="server-examples"/> ("Example Usage"). The YANG | |||
module itself is defined in <xref target="server-yang-module"/>.</t> | module itself is defined in <xref target="server-yang-module"/>.</t> | |||
<section anchor="server-overview"> | <section anchor="server-overview"> | |||
<name>Data Model Overview</name> | <name>Data Model Overview</name> | |||
<t>This section provides an overview of the "ietf-ssh-server" module | <t>This section provides an overview of the "ietf-ssh-server" module | |||
in terms of its features and groupings.</t> | in terms of its features and groupings.</t> | |||
<section anchor="server-features" toc="exclude"> | <section anchor="server-features" toc="exclude"> | |||
<name>Features</name> | <name>Features</name> | |||
<t>The following diagram lists all the "feature" statements | <t>The following diagram lists all the "feature" statements | |||
defined in the "ietf-ssh-server" module:</t> | defined in the "ietf-ssh-server" module:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangree"><![CDATA[ | |||
Features: | Features: | |||
+-- ssh-server-keepalives | +-- ssh-server-keepalives | |||
+-- local-users-supported | +-- local-users-supported | |||
+-- local-user-auth-publickey {local-users-supported}? | +-- local-user-auth-publickey {local-users-supported}? | |||
+-- local-user-auth-password {local-users-supported}? | +-- local-user-auth-password {local-users-supported}? | |||
+-- local-user-auth-hostbased {local-users-supported}? | +-- local-user-auth-hostbased {local-users-supported}? | |||
+-- local-user-auth-none {local-users-supported}? | +-- local-user-auth-none {local-users-supported}? | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The diagram above uses syntax that is similar to but not | <t>The diagram above uses syntax that is similar to but not | |||
defined in <xref target="RFC8340"/>.</t> | defined in <xref target="RFC8340"/>.</t> | |||
<t>Please refer to the YANG module for a description of each feature.< /t> | <t>Please refer to the YANG module for a description of each feature.< /t> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Groupings</name> | <name>Groupings</name> | |||
<t>The "ietf-ssh-server" module defines the following "grouping" state ment:</t> | <t>The "ietf-ssh-server" module defines the following "grouping" state ment:</t> | |||
<ul spacing="compact"> | <ul spacing="compact"> | |||
<li>ssh-server-grouping</li> | <li>ssh-server-grouping</li> | |||
</ul> | </ul> | |||
<t>This grouping is presented in the following subsection.</t> | <t>This grouping is presented in the following subsection.</t> | |||
<section anchor="ssh-server-grouping"> | <section anchor="ssh-server-grouping"> | |||
<name>The "ssh-server-grouping" Grouping</name> | <name>The "ssh-server-grouping" Grouping</name> | |||
<t>The following tree diagram <xref target="RFC8340"/> illustrates t he | <t>The following tree diagram <xref target="RFC8340"/> illustrates t he | |||
"ssh-server-grouping" grouping:</t> | "ssh-server-grouping" grouping:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yangtree"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
grouping ssh-server-grouping: | grouping ssh-server-grouping: | |||
+-- server-identity | +-- server-identity | |||
| +-- host-key* [name] | | +-- host-key* [name] | |||
| +-- name? string | | +-- name string | |||
| +-- (host-key-type) | | +-- (host-key-type) | |||
| +--:(public-key) | | +--:(public-key) | |||
| | +-- public-key | | | +-- public-key | |||
| | +---u ks:inline-or-keystore-asymmetric-key-groupi\ | | | +---u ks:inline-or-keystore-asymmetric-key-groupi\ | |||
ng | ng | |||
| +--:(certificate) | | +--:(certificate) | |||
| +-- certificate {sshcmn:ssh-x509-certs}? | | +-- certificate {sshcmn:ssh-x509-certs}? | |||
| +---u ks:inline-or-keystore-end-entity-cert-with-\ | | +---u ks:inline-or-keystore-end-entity-cert-with-\ | |||
key-grouping | key-grouping | |||
+-- client-authentication | +-- client-authentication | |||
| +-- users {local-users-supported}? | | +-- users {local-users-supported}? | |||
| | +-- user* [name] | | | +-- user* [name] | |||
| | +-- name? string | | | +-- name string | |||
| | +-- public-keys! {local-user-auth-publickey}? | | | +-- public-keys! {local-user-auth-publickey}? | |||
| | | +---u ts:inline-or-truststore-public-keys-grouping | | | | +---u ts:inline-or-truststore-public-keys-grouping | |||
| | +-- password | | | +-- password | |||
| | | +-- hashed-password? ianach:crypt-hash | | | | +-- hashed-password? ianach:crypt-hash | |||
| | | | {local-user-auth-password}? | | | | | {local-user-auth-password}? | |||
| | | +--ro last-modified? yang:date-and-time | | | | +--ro last-modified? yang:date-and-time | |||
| | +-- hostbased! {local-user-auth-hostbased}? | | | +-- hostbased! {local-user-auth-hostbased}? | |||
| | | +---u ts:inline-or-truststore-public-keys-grouping | | | | +---u ts:inline-or-truststore-public-keys-grouping | |||
| | +-- none? empty {local-user-auth-none}? | | | +-- none? empty {local-user-auth-none}? | |||
| +-- ca-certs! {sshcmn:ssh-x509-certs}? | | +-- ca-certs! {sshcmn:ssh-x509-certs}? | |||
| | +---u ts:inline-or-truststore-certs-grouping | | | +---u ts:inline-or-truststore-certs-grouping | |||
| +-- ee-certs! {sshcmn:ssh-x509-certs}? | | +-- ee-certs! {sshcmn:ssh-x509-certs}? | |||
| +---u ts:inline-or-truststore-certs-grouping | | +---u ts:inline-or-truststore-certs-grouping | |||
+-- transport-params {sshcmn:transport-params}? | +-- transport-params {sshcmn:transport-params}? | |||
| +---u sshcmn:transport-params-grouping | | +---u sshcmn:transport-params-grouping | |||
+-- keepalives! {ssh-server-keepalives}? | +-- keepalives! {ssh-server-keepalives}? | |||
+-- max-wait? uint16 | +-- max-wait? uint16 | |||
+-- max-attempts? uint8 | +-- max-attempts? uint8 | |||
]]></artwork> | ]]></sourcecode> | |||
<t>Comments:</t> | <t>Comments:</t> | |||
<ul> | <ul> | |||
<li>The "server-identity" node configures the authentication metho ds the | <li>The "server-identity" node configures the authentication metho ds the | |||
server can use to identify itself to clients. The ability to us e a | server can use to identify itself to clients. The ability to us e a | |||
certificate is enabled by a "feature".</li> | certificate is enabled by a "feature".</li> | |||
<li>The "client-authentication" node configures trust anchors for | <li>The "client-authentication" node configures trust anchors for | |||
authenticating the SSH client, with each option enabled by a "fe ature" statement.</li> | authenticating the SSH client, with each option enabled by a "fe ature" statement.</li> | |||
<li>The "transport-params" node, which must be enabled by a featur e, configures | <li>The "transport-params" node, which must be enabled by a featur e, configures | |||
parameters for the SSH sessions established by this configuratio n.</li> | parameters for the SSH sessions established by this configuratio n.</li> | |||
<li>The "keepalives" node, which must be enabled by a feature, con figures | <li>The "keepalives" node, which must be enabled by a feature, con figures | |||
a "presence" container for testing the aliveness of the SSH clie nt. The | a "presence" container for testing the aliveness of the SSH clie nt. The | |||
aliveness-test occurs at the SSH protocol layer.</li> | aliveness-test occurs at the SSH protocol layer.</li> | |||
<li> | <li> | |||
<t>For the referenced grouping statement(s): | <t>For the referenced grouping statements: | |||
</t> | </t> | |||
<ul spacing="compact"> | <ul spacing="normal"> | |||
<li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | <li>The "inline-or-keystore-asymmetric-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9642"/>.</li > | |||
<li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | <li>The "inline-or-keystore-end-entity-cert-with-key-grouping" grouping is | |||
discussed in <xref section="2.1.3.6" target="I-D.ietf-netcon f-keystore"/>.</li> | discussed in <xref section="2.1.3.6" target="RFC9642"/>.</li > | |||
<li>The "inline-or-truststore-public-keys-grouping" grouping i s | <li>The "inline-or-truststore-public-keys-grouping" grouping i s | |||
discussed in <xref section="2.1.3.4" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.4" target="RFC9641"/>.</li > | |||
<li>The "inline-or-truststore-certs-grouping" grouping is | <li>The "inline-or-truststore-certs-grouping" grouping is | |||
discussed in <xref section="2.1.3.3" target="I-D.ietf-netcon f-trust-anchors"/>.</li> | discussed in <xref section="2.1.3.3" target="RFC9641"/>.</li > | |||
<li>The "transport-params-grouping" grouping is discussed in | <li>The "transport-params-grouping" grouping is discussed in | |||
<xref target="transport-params-grouping"/> in this document.</ li> | <xref target="transport-params-grouping"/> in this document.</ li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section toc="exclude"> | <section toc="exclude"> | |||
<name>Protocol-accessible Nodes</name> | <name>Protocol-Accessible Nodes</name> | |||
<t>The "ietf-ssh-server" module defines only "grouping" statements tha t are | <t>The "ietf-ssh-server" module defines only "grouping" statements tha t are | |||
used by other modules to instantiate protocol-accessible nodes. Th us this | used by other modules to instantiate protocol-accessible nodes. Th us, this | |||
module, when implemented, does not itself define any protocol-access ible nodes.</t> | module, when implemented, does not itself define any protocol-access ible nodes.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="server-examples"> | <section anchor="server-examples"> | |||
<name>Example Usage</name> | <name>Example Usage</name> | |||
<t>This section presents two examples showing the "ssh-server-grouping" | <t>This section presents two examples showing the "ssh-server-grouping" | |||
grouping populated with some data. These examples are effectively the sa | grouping populated with some data. These examples are effectively the sa | |||
me | me, | |||
except the first configures the server identity using a inlined key | except the first configures the server identity using an inlined key, | |||
while the second uses a key configured in a keystore. Both examples | while the second uses a key configured in a keystore. Both examples | |||
are consistent with the examples presented in | are consistent with the examples presented in | |||
<xref section="2.2.1" target="I-D.ietf-netconf-trust-anchors"/> and | <xref section="2.2.1" target="RFC9641"/> and | |||
<xref section="2.2.1" target="I-D.ietf-netconf-keystore"/>.</t> | <xref section="2.2.1" target="RFC9642"/>.</t> | |||
<t>The following configuration example uses inline-definitions for the | <t>The following configuration example uses inline-definitions for the | |||
server identity and client authentication: | server identity and client authentication: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-server | <ssh-server | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-server" | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-server" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- the host-key this SSH server will present --> | <!-- the host-key this SSH server will present --> | |||
skipping to change at line 1838 ¶ | skipping to change at line 1772 ¶ | |||
</inline-definition> | </inline-definition> | |||
</ee-certs> | </ee-certs> | |||
</client-authentication> | </client-authentication> | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-server> | </ssh-server> | |||
]]></artwork> | ]]></sourcecode> | |||
<t>The following configuration example uses central-keystore-references for the | <t>The following configuration example uses central-keystore-references for the | |||
server identity and central-truststore-references for client authentic ation: | server identity and central-truststore-references for client authentic ation | |||
from the keystore: | from the keystore: | |||
</t> | </t> | |||
<artwork><![CDATA[ | <sourcecode type="xml"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<!-- The outermost element below doesn't exist in the data model. --> | <!-- The outermost element below doesn't exist in the data model. --> | |||
<!-- It simulates if the "grouping" were a "container" instead. --> | <!-- It simulates if the "grouping" were a "container" instead. --> | |||
<ssh-server | <ssh-server | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-server"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-server"> | |||
<!-- the host-key this SSH server will present --> | <!-- the host-key this SSH server will present --> | |||
<server-identity> | <server-identity> | |||
skipping to change at line 1902 ¶ | skipping to change at line 1836 ¶ | |||
-truststore-reference> | -truststore-reference> | |||
</ee-certs> | </ee-certs> | |||
</client-authentication> | </client-authentication> | |||
<keepalives> | <keepalives> | |||
<max-wait>30</max-wait> | <max-wait>30</max-wait> | |||
<max-attempts>3</max-attempts> | <max-attempts>3</max-attempts> | |||
</keepalives> | </keepalives> | |||
</ssh-server> | </ssh-server> | |||
]]></artwork> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="server-yang-module"> | <section anchor="server-yang-module"> | |||
<name>YANG Module</name> | <name>YANG Module</name> | |||
<t>This YANG module has references to <xref target="RFC4251"/>, <xref ta | <t>This YANG module has normative references to <xref target="RFC4251"/> | |||
rget="RFC4252"/>, | , <xref target="RFC4252"/>, | |||
<xref target="RFC4253"/>, <xref target="RFC4254"/>, <xref target="RFC731 | <xref target="RFC4253"/>, <xref target="RFC4254"/>, <xref target="RFC699 | |||
7"/>, | 1"/>, <xref target="RFC7317"/>, | |||
<xref target="RFC8341"/>, <xref target="I-D.ietf-netconf-crypto-types"/> | <xref target="RFC8341"/>, <xref target="RFC9640"/>, | |||
, | <xref target="RFC9641"/>, and | |||
<xref target="I-D.ietf-netconf-trust-anchors"/>, and | <xref target="RFC9642"/>.</t> | |||
<xref target="I-D.ietf-netconf-keystore"/>.</t> | <sourcecode type="yang" markers="true" name="ietf-ssh-server@2024-03-16. | |||
<t keepWithNext="true"><CODE BEGINS> file "ietf-ssh-server@2024-03 | yang"><![CDATA[ | |||
-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module ietf-ssh-server { | module ietf-ssh-server { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; | |||
prefix sshs; | prefix sshs; | |||
import ietf-yang-types { | import ietf-yang-types { | |||
prefix yang; | prefix yang; | |||
reference | reference | |||
"RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||
} | } | |||
skipping to change at line 1939 ¶ | skipping to change at line 1872 ¶ | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
import ietf-keystore { | import ietf-keystore { | |||
prefix ks; | prefix ks; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
} | } | |||
import ietf-ssh-common { | import ietf-ssh-common { | |||
prefix sshcmn; | prefix sshcmn; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG Web: https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
WG List: NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | |||
description | description | |||
"This module defines a reusable grouping for SSH servers that | "This module defines a reusable grouping for SSH servers that | |||
can be used as a basis for specific SSH server instances. | can be used as a basis for specific SSH server instances. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC EEEE | This version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
// Features | // Features | |||
feature ssh-server-keepalives { | feature ssh-server-keepalives { | |||
description | description | |||
"Per socket SSH keepalive parameters are configurable for | "SSH keepalive parameters are configurable for | |||
SSH servers on the server implementing this feature."; | SSH servers on the server implementing this feature."; | |||
} | } | |||
feature local-users-supported { | feature local-users-supported { | |||
description | description | |||
"Indicates that the configuration for users can be | "Indicates that the configuration for users can be | |||
configured herein, as opposed to in an application | configured herein, as opposed to in an application- | |||
specific location."; | specific location."; | |||
} | } | |||
feature local-user-auth-publickey { | feature local-user-auth-publickey { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'publickey' authentication type, | "Indicates that the 'publickey' authentication type, | |||
per RFC 4252, is supported for locally-defined users. | per RFC 4252, is supported for locally defined users. | |||
The 'publickey' authentication type is required by | The 'publickey' authentication type is required by | |||
RFC 4252, but common implementations allow it to | RFC 4252, but common implementations allow it to | |||
be disabled."; | be disabled."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
feature local-user-auth-password { | feature local-user-auth-password { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'password' authentication type, | "Indicates that the 'password' authentication type, | |||
per RFC 4252, is supported for locally-defined users."; | per RFC 4252, is supported for locally defined users."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
feature local-user-auth-hostbased { | feature local-user-auth-hostbased { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'hostbased' authentication type, | "Indicates that the 'hostbased' authentication type, | |||
per RFC 4252, is supported for locally-defined users."; | per RFC 4252, is supported for locally defined users."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
feature local-user-auth-none { | feature local-user-auth-none { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"Indicates that the 'none' authentication type, per | "Indicates that the 'none' authentication type, per | |||
RFC 4252, is supported. It is NOT RECOMMENDED to | RFC 4252, is supported. It is NOT RECOMMENDED to | |||
enable this feature."; | enable this feature."; | |||
reference | reference | |||
"RFC 4252: | "RFC 4252: | |||
The Secure Shell (SSH) Authentication Protocol"; | The Secure Shell (SSH) Authentication Protocol"; | |||
} | } | |||
// Groupings | // Groupings | |||
grouping ssh-server-grouping { | grouping ssh-server-grouping { | |||
description | description | |||
"A reusable grouping for configuring a SSH server without | "A reusable grouping for configuring an SSH server without | |||
any consideration for how underlying TCP sessions are | any consideration for how underlying TCP sessions are | |||
established. | established. | |||
Note that this grouping uses fairly typical descendant | Note that this grouping uses fairly typical descendant | |||
node names such that a nesting of 'uses' statements will | node names such that a nesting of 'uses' statements will | |||
have name conflicts. It is intended that the consuming | have name conflicts. It is intended that the consuming | |||
data model will resolve the issue (e.g., by wrapping | data model will resolve the issue (e.g., by wrapping | |||
the 'uses' statement in a container called | the 'uses' statement in a container called | |||
'ssh-server-parameters'). This model purposely does | 'ssh-server-parameters'). This model purposely does | |||
not do this itself so as to provide maximum flexibility | not do this itself so as to provide maximum flexibility | |||
to consuming models."; | to consuming models."; | |||
container server-identity { | container server-identity { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"The list of host keys the SSH server will present when | "The list of host keys the SSH server will present when | |||
establishing a SSH connection."; | establishing an SSH connection."; | |||
list host-key { | list host-key { | |||
key "name"; | key "name"; | |||
min-elements 1; | min-elements 1; | |||
ordered-by user; | ordered-by user; | |||
description | description | |||
"An ordered list of host keys (see RFC 4251) the SSH | "An ordered list of host keys (see RFC 4251) the SSH | |||
server will use to construct its ordered list of | server will use to construct its ordered list of | |||
algorithms, when sending its SSH_MSG_KEXINIT message, | algorithms when sending its SSH_MSG_KEXINIT message, | |||
as defined in Section 7.1 of RFC 4253."; | as defined in Section 7.1 of RFC 4253."; | |||
reference | reference | |||
"RFC 4251: The Secure Shell (SSH) Protocol Architecture | "RFC 4251: The Secure Shell (SSH) Protocol Architecture | |||
RFC 4253: The Secure Shell (SSH) Transport Layer | RFC 4253: The Secure Shell (SSH) Transport Layer | |||
Protocol"; | Protocol"; | |||
leaf name { | leaf name { | |||
type string; | type string; | |||
description | description | |||
"An arbitrary name for this host key"; | "An arbitrary name for this host key."; | |||
} | } | |||
choice host-key-type { | choice host-key-type { | |||
mandatory true; | mandatory true; | |||
description | description | |||
"The type of host key being specified"; | "The type of host key being specified."; | |||
container public-key { | container public-key { | |||
description | description | |||
"A locally-defined or referenced asymmetric key pair | "A locally defined or referenced asymmetric key pair | |||
to be used for the SSH server's host key."; | to be used for the SSH server's host key."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses ks:inline-or-keystore-asymmetric-key-grouping { | uses ks:inline-or-keystore-asymmetric-key-grouping { | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:ssh-public-key-format")'; | + '(public-key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference" { | + "central-keystore-reference" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
+ 'derived-from-or-self(deref(.)/../ks:public-' | + 'derived-from-or-self(deref(.)/../ks:public-' | |||
+ 'key-format, "ct:ssh-public-key-format")'; | + 'key-format, "ct:ssh-public-key-format")'; | |||
} | } | |||
} | } | |||
} | } | |||
container certificate { | container certificate { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
description | description | |||
"A locally-defined or referenced end-entity | "A locally defined or referenced end-entity | |||
certificate to be used for the SSH server's | certificate to be used for the SSH server's | |||
host key."; | host key."; | |||
reference | reference | |||
"RFC CCCC: A YANG Data Model for a Keystore"; | "RFC 9642: A YANG Data Model for a Keystore"; | |||
uses | uses | |||
ks:inline-or-keystore-end-entity-cert-with-key-grouping{ | ks:inline-or-keystore-end-entity-cert-with-key-grouping{ | |||
refine "inline-or-keystore/inline/inline-definition" { | refine "inline-or-keystore/inline/inline-definition" { | |||
must 'not(public-key-format) or derived-from-or-self' | must 'not(public-key-format) or derived-from-or-self' | |||
+ '(public-key-format, "ct:subject-public-key-' | + '(public-key-format, "ct:subject-public-key-' | |||
+ 'info-format")'; | + 'info-format")'; | |||
} | } | |||
refine "inline-or-keystore/central-keystore/" | refine "inline-or-keystore/central-keystore/" | |||
+ "central-keystore-reference/asymmetric-key" { | + "central-keystore-reference/asymmetric-key" { | |||
must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
skipping to change at line 2157 ¶ | skipping to change at line 2090 ¶ | |||
} | } | |||
} // container server-identity | } // container server-identity | |||
container client-authentication { | container client-authentication { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"Specifies how the SSH server can be configured to | "Specifies how the SSH server can be configured to | |||
authenticate SSH clients. See RFC 4252 for a general | authenticate SSH clients. See RFC 4252 for a general | |||
discussion about SSH authentication."; | discussion about SSH authentication."; | |||
reference | reference | |||
"RFC 4252: The Secure Shell (SSH) Transport Layer"; | "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; | |||
container users { | container users { | |||
if-feature "local-users-supported"; | if-feature "local-users-supported"; | |||
description | description | |||
"A list of locally configured users."; | "A list of locally configured users."; | |||
list user { | list user { | |||
key "name"; | key "name"; | |||
description | description | |||
"A locally configured user. | "A locally configured user. | |||
The server SHOULD derive the list of authentication | The server SHOULD derive the list of authentication | |||
'method names' returned to the SSH client from the | 'method names' returned to the SSH client from the | |||
descendant nodes configured herein, per Sections | descendant nodes configured herein, per Sections | |||
5.1 and 5.2 in RFC 4252. | 5.1 and 5.2 of RFC 4252. | |||
The authentication methods are unordered. Clients | The authentication methods are unordered. Clients | |||
must authenticate to all configured methods. | must authenticate to all configured methods. | |||
Whenever a choice amongst methods arises, | Whenever a choice amongst methods arises, | |||
implementations SHOULD use a default ordering | implementations SHOULD use a default ordering | |||
that prioritizes automation over human-interaction."; | that prioritizes automation over human interaction."; | |||
leaf name { | leaf name { | |||
type string; | type string; | |||
description | description | |||
"The 'user name' for the SSH client, as defined in | "The 'username' for the SSH client, as defined in | |||
the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; | the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; | |||
reference | reference | |||
"RFC 4253: The Secure Shell (SSH) Transport Layer | "RFC 4253: The Secure Shell (SSH) Transport Layer | |||
Protocol"; | Protocol"; | |||
} | } | |||
container public-keys { | container public-keys { | |||
if-feature "local-user-auth-publickey"; | if-feature "local-user-auth-publickey"; | |||
presence | presence | |||
"Indicates that public keys have been configured. | "Indicates that public keys have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply that this node must be | nodes do not imply that this node must be | |||
configured."; | configured."; | |||
description | description | |||
"A set of SSH public keys may be used by the SSH | "A set of SSH public keys may be used by the SSH | |||
server to authenticate this user. A user is | server to authenticate this user. A user is | |||
authenticated if its public key is an exact | authenticated if its public key is an exact | |||
match to a configured public key."; | match to a configured public key."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:ssh-public-key-format")'; | + ' "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:ssh-' | + 'format[not(derived-from-or-self(., "ct:ssh-' | |||
skipping to change at line 2235 ¶ | skipping to change at line 2168 ¶ | |||
leaf last-modified { | leaf last-modified { | |||
type yang:date-and-time; | type yang:date-and-time; | |||
config false; | config false; | |||
description | description | |||
"Identifies when the password was last set."; | "Identifies when the password was last set."; | |||
} | } | |||
} | } | |||
container hostbased { | container hostbased { | |||
if-feature "local-user-auth-hostbased"; | if-feature "local-user-auth-hostbased"; | |||
presence | presence | |||
"Indicates that hostbased [RFC4252] keys have been | "Indicates that host-based (RFC 4252) keys have been | |||
configured. This statement is present so the | configured. This statement is present so the | |||
mandatory descendant nodes do not imply that this | mandatory descendant nodes do not imply that this | |||
node must be configured."; | node must be configured."; | |||
description | description | |||
"A set of SSH host keys used by the SSH server to | "A set of SSH host keys used by the SSH server to | |||
authenticate this user's host. A user's host is | authenticate this user's host. A user's host is | |||
authenticated if its host key is an exact match | authenticated if its host key is an exact match | |||
to a configured host key."; | to a configured host key."; | |||
reference | reference | |||
"RFC 4252: The Secure Shell (SSH) Transport Layer | "RFC 4252: The Secure Shell (SSH) Authentication | |||
RFC BBBB: A YANG Data Model for a Truststore"; | Protocol | |||
RFC 9641: A YANG Data Model for a Truststore"; | ||||
uses ts:inline-or-truststore-public-keys-grouping { | uses ts:inline-or-truststore-public-keys-grouping { | |||
refine "inline-or-truststore/inline/inline-definition/" | refine "inline-or-truststore/inline/inline-definition/" | |||
+ "public-key" { | + "public-key" { | |||
must 'derived-from-or-self(public-key-format,' | must 'derived-from-or-self(public-key-format,' | |||
+ ' "ct:ssh-public-key-format")'; | + ' "ct:ssh-public-key-format")'; | |||
} | } | |||
refine "inline-or-truststore/central-truststore/" | refine "inline-or-truststore/central-truststore/" | |||
+ "central-truststore-reference" { | + "central-truststore-reference" { | |||
must 'not(deref(.)/../ts:public-key/ts:public-key-' | must 'not(deref(.)/../ts:public-key/ts:public-key-' | |||
+ 'format[not(derived-from-or-self(., "ct:ssh-' | + 'format[not(derived-from-or-self(., "ct:ssh-' | |||
skipping to change at line 2269 ¶ | skipping to change at line 2203 ¶ | |||
} | } | |||
} | } | |||
leaf none { | leaf none { | |||
if-feature "local-user-auth-none"; | if-feature "local-user-auth-none"; | |||
type empty; | type empty; | |||
description | description | |||
"Indicates that the 'none' method is configured | "Indicates that the 'none' method is configured | |||
for this user."; | for this user."; | |||
reference | reference | |||
"RFC 4252: The Secure Shell (SSH) Authentication | "RFC 4252: The Secure Shell (SSH) Authentication | |||
Protocol."; | Protocol"; | |||
} | } | |||
} | } | |||
} // users | } // users | |||
container ca-certs { | container ca-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that CA certificates have been configured. | "Indicates that CA certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply this node must be configured."; | nodes do not imply this node must be configured."; | |||
description | description | |||
"A set of certificate authority (CA) certificates used by | "A set of Certification Authority (CA) certificates used by | |||
the SSH server to authenticate SSH client certificates. | the SSH server to authenticate SSH client certificates. | |||
A client certificate is authenticated if it has a valid | A client certificate is authenticated if it has a valid | |||
chain of trust to a configured CA certificate."; | chain of trust to a configured CA certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
container ee-certs { | container ee-certs { | |||
if-feature "sshcmn:ssh-x509-certs"; | if-feature "sshcmn:ssh-x509-certs"; | |||
presence | presence | |||
"Indicates that EE certificates have been configured. | "Indicates that EE certificates have been configured. | |||
This statement is present so the mandatory descendant | This statement is present so the mandatory descendant | |||
nodes do not imply this node must be configured."; | nodes do not imply this node must be configured."; | |||
description | description | |||
"A set of client certificates (i.e., end entity | "A set of client certificates (i.e., end-entity | |||
certificates) used by the SSH server to authenticate | certificates) used by the SSH server to authenticate | |||
the certificates presented by SSH clients. A client | the certificates presented by SSH clients. A client | |||
certificate is authenticated if it is an exact match | certificate is authenticated if it is an exact match | |||
to a configured end-entity certificate."; | to a configured end-entity certificate."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
uses ts:inline-or-truststore-certs-grouping; | uses ts:inline-or-truststore-certs-grouping; | |||
} | } | |||
} // container client-authentication | } // container client-authentication | |||
container transport-params { | container transport-params { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "sshcmn:transport-params"; | if-feature "sshcmn:transport-params"; | |||
description | description | |||
"Configurable parameters of the SSH transport layer."; | "Configurable parameters of the SSH transport layer."; | |||
uses sshcmn:transport-params-grouping; | uses sshcmn:transport-params-grouping; | |||
} // container transport-params | } // container transport-params | |||
container keepalives { | container keepalives { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "ssh-server-keepalives"; | if-feature "ssh-server-keepalives"; | |||
presence | presence | |||
"Indicates that the SSH server proactively tests the | "Indicates that the SSH server proactively tests the | |||
aliveness of the remote SSH client."; | aliveness of the remote SSH client."; | |||
description | description | |||
"Configures the keep-alive policy, to proactively test | "Configures the keepalive policy to proactively test | |||
the aliveness of the SSH client. An unresponsive SSH | the aliveness of the SSH client. An unresponsive SSH | |||
client is dropped after approximately max-wait * | client is dropped after approximately max-wait * | |||
max-attempts seconds. Per Section 4 of RFC 4254, | max-attempts seconds. Per Section 4 of RFC 4254, | |||
the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST | the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST | |||
message with a purposely nonexistent 'request name' | message with a purposely nonexistent 'request name' | |||
value (e.g., keepalive@ietf.org) and the 'want reply' | value (e.g., keepalive@example.com) and the 'want reply' | |||
value set to '1'."; | value set to '1'."; | |||
reference | reference | |||
"RFC 4254: The Secure Shell (SSH) Connection Protocol"; | "RFC 4254: The Secure Shell (SSH) Connection Protocol"; | |||
leaf max-wait { | leaf max-wait { | |||
type uint16 { | type uint16 { | |||
range "1..max"; | range "1..max"; | |||
} | } | |||
units "seconds"; | units "seconds"; | |||
default "30"; | default "30"; | |||
description | description | |||
"Sets the amount of time in seconds after which | "Sets the amount of time in seconds after which | |||
if no data has been received from the SSH client, | an SSH-level message will be sent to test the | |||
a SSH-level message will be sent to test the | aliveness of the SSH client if no data has been | |||
aliveness of the SSH client."; | received from the SSH client."; | |||
} | } | |||
leaf max-attempts { | leaf max-attempts { | |||
type uint8; | type uint8; | |||
default "3"; | default "3"; | |||
description | description | |||
"Sets the maximum number of sequential keep-alive | "Sets the maximum number of sequential keepalive | |||
messages that can fail to obtain a response from | messages that can fail to obtain a response from | |||
the SSH client before assuming the SSH client is | the SSH client before assuming the SSH client is | |||
no longer alive."; | no longer alive."; | |||
} | } | |||
} | } | |||
} // grouping ssh-server-grouping | } // grouping ssh-server-grouping | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Security Considerations</name> | <name>Security Considerations</name> | |||
<t>The three IETF YANG modules in this document define groupings and will | <t>The three IETF YANG modules in this document define groupings and will | |||
not be deployed as standalone modules. Their security implications | not be deployed as standalone modules. Their security implications | |||
may be context dependent based on their use in other modules. The | may be context-dependent based on their use in other modules. The | |||
designers of modules which import these grouping must conduct their | designers of modules that import these groupings must conduct their | |||
own analysis of the security considerations.</t> | own analysis of the security considerations.</t> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-key-exchange-algs" Module</name> | <name>Considerations for the "iana-ssh-key-exchange-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> | <t>This section is modeled after the template defined in <xref section=" 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "iana-ssh-key-exchange-algs" YANG module defines a data model | <t>The "iana-ssh-key-exchange-algs" YANG module defines a data model | |||
that is designed to be accessed via YANG based management | that is designed to be accessed via YANG-based management | |||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
with mutual authentication.</t> | Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | QUIC <xref target="RFC9000"/>) and | |||
mandatory-to-implement mutual authentication</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>This YANG module defines YANG enumerations, for a public IANA-maintai ned | <t>This YANG module defines YANG enumerations for a public IANA-maintain ed | |||
registry.</t> | registry.</t> | |||
<t>YANG enumerations are not security-sensitive, as they are statically | <t>YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module. IANA MAY deprecate | defined in the publicly accessible YANG module. IANA <bcp14>MAY</bcp1 4> deprecate | |||
and/or obsolete enumerations over time as needed to address security | and/or obsolete enumerations over time as needed to address security | |||
issues found in the algorithms.</t> | issues found in the algorithms.</t> | |||
<t>This module does not define any writable-nodes, RPCs, actions, | <t>This module does not define any writable nodes, RPCs, actions, | |||
or notifications, and thus the security consideration for such | or notifications, and thus, the security considerations for such | |||
is not provided here.</t> | are not provided here.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-encryption-algs" Module</name> | <name>Considerations for the "iana-ssh-encryption-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> | <t>This section is modeled after the template defined in <xref section=" 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "iana-ssh-encryption-algs" YANG module defines a data model | <t>The "iana-ssh-encryption-algs" YANG module defines a data model | |||
that is designed to be accessed via YANG based management | that is designed to be accessed via YANG-based management | |||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
with mutual authentication.</t> | Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | QUIC <xref target="RFC9000"/>) and | |||
mandatory-to-implement mutual authentication.</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>This YANG module defines YANG enumerations, for a public IANA-maintai ned | <t>This YANG module defines YANG enumerations for a public IANA-maintain ed | |||
registry.</t> | registry.</t> | |||
<t>YANG enumerations are not security-sensitive, as they are statically | <t>YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module.</t> | defined in the publicly accessible YANG module.</t> | |||
<t>This module does not define any writable-nodes, RPCs, actions, | <t>This module does not define any writable nodes, RPCs, actions, | |||
or notifications, and thus the security consideration for such | or notifications, and thus, the security considerations for such | |||
is not provided here.</t> | are not provided here.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-mac-algs" Module</name> | <name>Considerations for the "iana-ssh-mac-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> | <t>This section is modeled after the template defined in <xref section=" 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "iana-ssh-mac-algs" YANG module defines a data model | <t>The "iana-ssh-mac-algs" YANG module defines a data model | |||
that is designed to be accessed via YANG based management | that is designed to be accessed via YANG-based management | |||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
with mutual authentication.</t> | Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | QUIC <xref target="RFC9000"/>) and | |||
mandatory-to-implement mutual authentication.</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>This YANG module defines YANG enumerations, for a public IANA-maintai ned | <t>This YANG module defines YANG enumerations for a public IANA-maintain ed | |||
registry.</t> | registry.</t> | |||
<t>YANG enumerations are not security-sensitive, as they are statically | <t>YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module.</t> | defined in the publicly accessible YANG module.</t> | |||
<t>This module does not define any writable-nodes, RPCs, actions, | <t>This module does not define any writable nodes, RPCs, actions, | |||
or notifications, and thus the security consideration for such | or notifications, and thus, the security considerations for such | |||
is not provided here.</t> | are not provided here.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-public-key-algs" Module</name> | <name>Considerations for the "iana-ssh-public-key-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta rget="RFC8407"/>.</t> | <t>This section is modeled after the template defined in <xref section=" 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "iana-ssh-public-key-algs" YANG module defines a data model | <t>The "iana-ssh-public-key-algs" YANG module defines a data model | |||
that is designed to be accessed via YANG based management | that is designed to be accessed via YANG-based management | |||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
with mutual authentication.</t> | Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | QUIC <xref target="RFC9000"/>) and | |||
mandatory-to-implement mutual authentication.</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>This YANG module defines YANG enumerations, for a public IANA-maintai ned | <t>This YANG module defines YANG enumerations for a public IANA-maintain ed | |||
registry.</t> | registry.</t> | |||
<t>YANG enumerations are not security-sensitive, as they are statically | <t>YANG enumerations are not security-sensitive, as they are statically | |||
defined in the publicly-accessible YANG module.</t> | defined in the publicly accessible YANG module.</t> | |||
<t>This module does not define any writable-nodes, RPCs, actions, | <t>This module does not define any writable nodes, RPCs, actions, | |||
or notifications, and thus the security consideration for such | or notifications, and thus, the security considerations for such | |||
is not provided here.</t> | are not provided here.</t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "ietf-ssh-common" YANG Module</name> | <name>Considerations for the "ietf-ssh-common" YANG Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta | <t>This section is modeled after the template defined in <xref section=" | |||
rget="RFC8407"/>.</t> | 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "ietf-ssh-common" YANG module defines "grouping" statements | <t>The "ietf-ssh-common" YANG module defines a data model that is design | |||
that are designed to be accessed via YANG based management | ed | |||
to be accessed via YANG-based management | ||||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
with mutual authentication.</t> | Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | QUIC <xref target="RFC9000"/>) and | |||
mandatory-to-implement mutual authentication.</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>Please be aware that this YANG module uses groupings from | <t>Please be aware that this YANG module uses groupings from | |||
other YANG modules that define nodes that may be considered | other YANG modules that define nodes that may be considered | |||
sensitive or vulnerable in network environments. Please | sensitive or vulnerable in network environments. Please | |||
review the Security Considerations for dependent YANG modules | review the security considerations for dependent YANG modules | |||
for information as to which nodes may be considered sensitive | for information as to which nodes may be considered sensitive | |||
or vulnerable in network environments.</t> | or vulnerable in network environments.</t> | |||
<t>None of the readable data nodes defined in this YANG module are | <t>None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. | considered sensitive or vulnerable in network environments. | |||
The NACM "default-deny-all" extension has not been set for | The NACM "default-deny-all" extension has not been set for | |||
any data nodes defined in this module.</t> | any data nodes defined in this module.</t> | |||
<t>None of the writable data nodes defined in this YANG module are | <t>None of the writable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. | considered sensitive or vulnerable in network environments. | |||
The NACM "default-deny-write" extension has not been set for | The NACM "default-deny-write" extension has not been set for | |||
any data nodes defined in this module.</t> | any data nodes defined in this module.</t> | |||
<t>This module defines the RPC "generate-asymmetric-key-pair" that may, | <t>This module defines the "generate-asymmetric-key-pair" RPC, which may | |||
if | , if | |||
the "ct:cleartext-private-keys" feature is enabled, and the client | the "ct:cleartext-private-keys" feature is enabled and the client | |||
requests it, return the private clear in cleartext form. It is | requests it, return the private clear in cleartext form. It is | |||
NOT RECOMMENDED for private keys to pass the server's security | <bcp14>NOT RECOMMENDED</bcp14> for private keys to pass the server's s ecurity | |||
perimeter.</t> | perimeter.</t> | |||
<t>This module does not define any actions or notifications, | <t>This module does not define any actions or notifications, | |||
and thus the security consideration for such is not provided here.</t> | and thus, the security considerations for such are not provided here.< /t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "ietf-ssh-client" YANG Module</name> | <name>Considerations for the "ietf-ssh-client" YANG Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta | <t>This section is modeled after the template defined in <xref section=" | |||
rget="RFC8407"/>.</t> | 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "ietf-ssh-client" YANG module defines "grouping" statements | <t>The "ietf-ssh-client" YANG module defines "grouping" statements that | |||
that are designed to be accessed via YANG based management | are designed | |||
to be accessed via YANG-based management | ||||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
with mutual authentication.</t> | Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | QUIC <xref target="RFC9000"/>) and | |||
mandatory-to-implement mutual authentication.</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>Please be aware that this YANG module uses groupings from | <t>Please be aware that this YANG module uses groupings from | |||
other YANG modules that define nodes that may be considered | other YANG modules that define nodes that may be considered | |||
sensitive or vulnerable in network environments. Please | sensitive or vulnerable in network environments. Please | |||
review the Security Considerations for dependent YANG modules | review the security considerations for dependent YANG modules | |||
for information as to which nodes may be considered sensitive | for information as to which nodes may be considered sensitive | |||
or vulnerable in network environments.</t> | or vulnerable in network environments.</t> | |||
<t>One readable data node defined in this YANG module may be considered | <t>One readable data node defined in this YANG module may be considered | |||
sensitive or vulnerable in some network environments. This | sensitive or vulnerable in some network environments. This | |||
node is as follows: | node is as follows: | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>The "client-identity/password" node: | <t>The "client-identity/password" node: | |||
</t> | </t> | |||
skipping to change at line 2531 ¶ | skipping to change at line 2470 ¶ | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t>All the writable data nodes defined by this module may be | <t>All the writable data nodes defined by this module may be | |||
considered sensitive or vulnerable in some network environments. | considered sensitive or vulnerable in some network environments. | |||
For instance, any modification to a key or reference to a key | For instance, any modification to a key or reference to a key | |||
may dramatically alter the implemented security policy. For | may dramatically alter the implemented security policy. For | |||
this reason, the NACM extension "default-deny-write" has been | this reason, the NACM extension "default-deny-write" has been | |||
set for all data nodes defined in this module.</t> | set for all data nodes defined in this module.</t> | |||
<t>This module does not define any RPCs, actions, or notifications, | <t>This module does not define any RPCs, actions, or notifications, | |||
and thus the security consideration for such is not provided here.</t> | and thus, the security considerations for such are not provided here.< /t> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "ietf-ssh-server" YANG Module</name> | <name>Considerations for the "ietf-ssh-server" YANG Module</name> | |||
<t>This section follows the template defined in <xref section="3.7.1" ta | <t>This section is modeled after the template defined in <xref section=" | |||
rget="RFC8407"/>.</t> | 3.7.1" target="RFC8407"/>.</t> | |||
<t>The "ietf-ssh-server" YANG module defines "grouping" statements | <t>The "ietf-ssh-server" YANG module defines "grouping" statements that | |||
that are designed to be accessed via YANG based management | are designed | |||
to be accessed via YANG-based management | ||||
protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF | |||
<xref target="RFC8040"/>. Both of these protocols have | <xref target="RFC8040"/>. These | |||
mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
with mutual authentication.</t> | Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and | |||
<t>The Network Access Control Model (NACM) <xref target="RFC8341"/> | QUIC <xref target="RFC9000"/>) and | |||
mandatory-to-implement mutual authentication.</t> | ||||
<t>The Network Configuration Access Control Model (NACM) <xref target="R | ||||
FC8341"/> | ||||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
pre-configured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content.</t> | content.</t> | |||
<t>Please be aware that this YANG module uses groupings from | <t>Please be aware that this YANG module uses groupings from | |||
other YANG modules that define nodes that may be considered | other YANG modules that define nodes that may be considered | |||
sensitive or vulnerable in network environments. Please | sensitive or vulnerable in network environments. Please | |||
review the Security Considerations for dependent YANG modules | review the security considerations for dependent YANG modules | |||
for information as to which nodes may be considered sensitive | for information as to which nodes may be considered sensitive | |||
or vulnerable in network environments.</t> | or vulnerable in network environments.</t> | |||
<t>None of the readable data nodes defined in this YANG module are | <t>None of the readable data nodes defined in this YANG module are | |||
considered sensitive or vulnerable in network environments. | considered sensitive or vulnerable in network environments. | |||
The NACM "default-deny-all" extension has not been set for | The NACM "default-deny-all" extension has not been set for | |||
any data nodes defined in this module.</t> | any data nodes defined in this module.</t> | |||
<t>All the writable data nodes defined by this module may be | <t>All the writable data nodes defined by this module may be | |||
considered sensitive or vulnerable in some network environments. | considered sensitive or vulnerable in some network environments. | |||
For instance, the addition or removal of references to keys, | For instance, the addition or removal of references to keys, | |||
certificates, trusted anchors, etc., or even the modification | certificates, trusted anchors, etc., or even the modification | |||
of transport or keepalive parameters can dramatically alter | of transport or keepalive parameters can dramatically alter | |||
the implemented security policy. For this reason, the NACM | the implemented security policy. For this reason, the NACM | |||
extension "default-deny-write" has been set for all data nodes | extension "default-deny-write" has been set for all data nodes | |||
defined in this module.</t> | defined in this module.</t> | |||
<t>This module does not define any RPCs, actions, or notifications, | <t>This module does not define any RPCs, actions, or notifications, | |||
and thus the security consideration for such is not provided here.</t> | and thus, the security considerations for such are not provided here.< /t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>IANA Considerations</name> | <name>IANA Considerations</name> | |||
<section> | <section> | |||
<name>The "IETF XML" Registry</name> | <name>The IETF XML Registry</name> | |||
<t>This document registers seven URIs in the "ns" subregistry of the | <t>IANA has registered seven URIs in the "ns" registry of the | |||
IETF XML Registry <xref target="RFC3688"/>. Following the format in | "IETF XML Registry" <xref target="RFC3688"/> as follows.</t> | |||
<xref target="RFC3688"/>, the following registrations are | <dl newline="false" spacing="compact"> | |||
requested:</t> | <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs</dd> | |||
<artwork><![CDATA[ | <dt>Registrant Contact:</dt> <dd>The IESG</dd> | |||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs | <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> | |||
Registrant Contact: The IESG | </dl> | |||
XML: N/A, the requested URI is an XML namespace. | <dl newline="false" spacing="compact"> | |||
<dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs</dd> | ||||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs | <dt>Registrant Contact:</dt> <dd>The IESG</dd> | |||
Registrant Contact: The IESG | <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> | |||
XML: N/A, the requested URI is an XML namespace. | </dl> | |||
<dl newline="false" spacing="compact"> | ||||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs | <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs</dd> | |||
Registrant Contact: The IESG | <dt>Registrant Contact:</dt> <dd>The IESG</dd> | |||
XML: N/A, the requested URI is an XML namespace. | <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> | |||
</dl> | ||||
URI: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs | <dl newline="false" spacing="compact"> | |||
Registrant Contact: The IESG | <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs</dd> | |||
XML: N/A, the requested URI is an XML namespace. | <dt>Registrant Contact:</dt> <dd>The IESG</dd> | |||
<dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-ssh-common | </dl> | |||
Registrant Contact: The IESG | <dl newline="false" spacing="compact"> | |||
XML: N/A, the requested URI is an XML namespace. | <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ssh-common</dd> | |||
<dt>Registrant Contact:</dt> <dd>The IESG</dd> | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-ssh-client | <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> | |||
Registrant Contact: The IESG | </dl> | |||
XML: N/A, the requested URI is an XML namespace. | <dl newline="false" spacing="compact"> | |||
<dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ssh-client</dd> | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-ssh-server | <dt>Registrant Contact:</dt> <dd>The IESG</dd> | |||
Registrant Contact: The IESG | <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> | |||
XML: N/A, the requested URI is an XML namespace. | </dl> | |||
]]></artwork> | <dl newline="false" spacing="compact"> | |||
<dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ssh-server</dd> | ||||
<dt>Registrant Contact:</dt> <dd>The IESG</dd> | ||||
<dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> | ||||
</dl> | ||||
</section> | </section> | |||
<section> | <section> | |||
<name>The "YANG Module Names" Registry</name> | <name>The YANG Module Names Registry</name> | |||
<t>This document registers seven YANG modules in the YANG Module Names | <t>IANA has registered seven YANG modules in the "YANG Module Names" | |||
registry <xref target="RFC6020"/>. Following the format in <xref target= | registry <xref target="RFC6020"/> as follows.</t> | |||
"RFC6020"/>, the following registrations are requested:</t> | <dl newline="false" spacing="compact"> | |||
<artwork><![CDATA[ | <dt>Name:</dt> <dd>iana-ssh-key-exchange-algs</dd> | |||
name: iana-ssh-key-exchange-algs | <dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-alg | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs | s</dd> | |||
prefix: sshkea | <dt>Prefix:</dt> <dd>sshkea</dd> | |||
reference: RFC EEEE | <dt>Reference:</dt> <dd>RFC 9644</dd> | |||
</dl> | ||||
name: iana-ssh-encryption-algs | <dl newline="false" spacing="compact"> | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs | <dt>Name:</dt> <dd>iana-ssh-encryption-algs</dd> | |||
prefix: sshea | <dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs< | |||
reference: RFC EEEE | /dd> | |||
<dt>Prefix:</dt> <dd>sshea</dd> | ||||
name: iana-ssh-mac-algs | <dt>Reference:</dt> <dd>RFC 9644</dd> | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs | </dl> | |||
prefix: sshma | <dl newline="false" spacing="compact"> | |||
reference: RFC EEEE | <dt>Name:</dt> <dd>iana-ssh-mac-algs</dd> | |||
<dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs</dd> | ||||
name: iana-ssh-public-key-algs | <dt>Prefix:</dt> <dd>sshma</dd> | |||
namespace: urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs | <dt>Reference:</dt> <dd>RFC 9644</dd> | |||
prefix: sshpka | </dl> | |||
reference: RFC EEEE | <dl newline="false" spacing="compact"> | |||
<dt>Name:</dt> <dd>iana-ssh-public-key-algs</dd> | ||||
name: ietf-ssh-common | <dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs< | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-common | /dd> | |||
prefix: sshcmn | <dt>Prefix:</dt> <dd>sshpka</dd> | |||
reference: RFC EEEE | <dt>Reference:</dt> <dd>RFC 9644</dd> | |||
</dl> | ||||
name: ietf-ssh-client | <dl newline="false" spacing="compact"> | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-client | <dt>Name:</dt> <dd>ietf-ssh-common</dd> | |||
prefix: sshc | <dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ssh-common</dd> | |||
reference: RFC EEEE | <dt>Prefix:</dt> <dd>sshcmn</dd> | |||
<dt>Reference:</dt> <dd>RFC 9644</dd> | ||||
name: ietf-ssh-server | </dl> | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-ssh-server | <dl newline="false" spacing="compact"> | |||
prefix: sshs | <dt>Name:</dt> <dd>ietf-ssh-client</dd> | |||
reference: RFC EEEE | <dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ssh-client</dd> | |||
]]></artwork> | <dt>Prefix:</dt> <dd>sshc</dd> | |||
<dt>Reference:</dt> <dd>RFC 9644</dd> | ||||
</dl> | ||||
<dl newline="false" spacing="compact"> | ||||
<dt>Name:</dt> <dd>ietf-ssh-server</dd> | ||||
<dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ssh-server</dd> | ||||
<dt>Prefix:</dt> <dd>sshs</dd> | ||||
<dt>Reference:</dt> <dd>RFC 9644</dd> | ||||
</dl> | ||||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-encryption-algs" Module</name> | <name>Considerations for the "iana-ssh-encryption-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | <t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | |||
<t>This document presents a script (see <xref target="iana-script"/>) fo r | <t>This document presents a script (see <xref target="iana-script"/>) fo r | |||
IANA to use to generate the IANA-maintained "iana-ssh-encryption-algs" YANG module. | IANA to use to generate the IANA-maintained "iana-ssh-encryption-algs" YANG module. | |||
The most recent version of the YANG module is available from the "YANG | The most recent version of the YANG module is available in the "YANG P | |||
Parameters" | arameters" | |||
registry <xref target="IANA-YANG-PARAMETERS"/>.</t> | registry group <xref target="IANA-YANG-PARAMETERS"/>.</t> | |||
<t>IANA is requested to add the following note to the registry:</t> | <t>IANA has added the following note to the registry:</t> | |||
<blockquote>New values must not be directly added to the "iana-ssh-encry ption-algs" | <blockquote>New values must not be directly added to the "iana-ssh-encry ption-algs" | |||
YANG module. They must instead be added to the "Encryption Algorithm | YANG module. They must instead be added to the "Encryption Algorithm | |||
Names" sub-registry of the | Names" registry of the | |||
"Secure Shell (SSH) Protocol Parameters" registry <xref target="IANA-E | "Secure Shell (SSH) Protocol Parameters" registry group <xref target=" | |||
NC-ALGS"/>.</blockquote> | IANA-ENC-ALGS"/>.</blockquote> | |||
<t>When a value is added to the "Encryption Algorithm Names" sub-registr | <t>When a value is added to the "Encryption Algorithm Names" registry, a | |||
y, a new "enum" | new "enum" | |||
statement must be added to the "iana-ssh-encryption-algs" YANG module. The | statement must be added to the "iana-ssh-encryption-algs" YANG module. The | |||
"enum" statement, and sub-statements thereof, should be defined as fol lows:</t> | "enum" statement, and substatements thereof, should be defined as foll ows:</t> | |||
<dl newline="true"> | <dl newline="true"> | |||
<dt>enum</dt> | <dt>enum</dt> | |||
<dd>Replicates a name from the registry.</dd> | <dd>Replicates a name from the registry.</dd> | |||
<dt>value</dt> | <dt>value</dt> | |||
<dd>Contains the decimal value of the IANA-assigned value.</dd> | <dd>Contains the decimal value of the IANA-assigned value.</dd> | |||
<dt>status</dt> | <dt>status</dt> | |||
<dd>Include only if a registration has been deprecated or obsoleted. | <dd>Include only if a registration has been deprecated or obsoleted. | |||
An IANA "Note" containing the word "HISTORIC" maps to YANG status "o bsolete". | An IANA "Note" containing the word "HISTORIC" maps to YANG status "o bsolete". | |||
Since the registry is unable to express a "SHOULD NOT" recommendatio n, | Since the registry is unable to express a "<bcp14>SHOULD NOT</bcp14> " recommendation, | |||
there is no mapping to YANG status "deprecated".</dd> | there is no mapping to YANG status "deprecated".</dd> | |||
<dt>description</dt> | <dt>description</dt> | |||
<dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | <dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | |||
a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | |||
<dt>reference</dt> | <dt>reference</dt> | |||
<dd>Replicates the reference(s) from the registry with the title of th e | <dd>Replicates the reference(s) from the registry with the title of th e | |||
document(s) added.</dd> | document(s) added.</dd> | |||
</dl> | </dl> | |||
<t>Unassigned or reserved values are not present in the module.</t> | <t>Unassigned or reserved values are not present in the module.</t> | |||
<t>When the "iana-ssh-encryption-algs" YANG module is updated, a new "re vision" statement | <t>When the "iana-ssh-encryption-algs" YANG module is updated, a new "re vision" statement | |||
with a unique revision date must be added in front of the existing rev ision statements. | with a unique revision date must be added in front of the existing rev ision statements. | |||
The "revision" must have a "description" statement explaining why the | The "revision" must have a "description" statement explaining why the | |||
the update occurred, and must have a "reference" substatement that poi nts to the | update occurred and must have a "reference" substatement that points t o the | |||
document defining the registry update that resulted in this change. Fo r instance:</t> | document defining the registry update that resulted in this change. Fo r instance:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yang"><![CDATA[ | |||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
}]]></artwork> | }]]></sourcecode> | |||
<t>IANA is requested to add the following note to the "Encryption Algori | <t>IANA has added the following note to the "Encryption Algorithm Names" | |||
thm Names" | registry.</t> | |||
sub-registry.</t> | ||||
<blockquote>When this registry is modified, the YANG module "iana-ssh-en cryption-algs" | <blockquote>When this registry is modified, the YANG module "iana-ssh-en cryption-algs" | |||
<xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C EEEE.</blockquote> | <xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C 9644.</blockquote> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-mac-algs" Module</name> | <name>Considerations for the "iana-ssh-mac-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | <t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | |||
<t>This document presents a script (see <xref target="iana-script"/>) fo r | <t>This document presents a script (see <xref target="iana-script"/>) fo r | |||
IANA to use to generate the IANA-maintained "iana-ssh-mac-algs" YANG m odule. | IANA to use to generate the IANA-maintained "iana-ssh-mac-algs" YANG m odule. | |||
The most recent version of the YANG module is available from the "YANG | The most recent version of the YANG module is available in the "YANG P | |||
Parameters" | arameters" | |||
registry <xref target="IANA-YANG-PARAMETERS"/>.</t> | registry group <xref target="IANA-YANG-PARAMETERS"/>.</t> | |||
<t>IANA is requested to add the following note to the registry:</t> | <t>IANA has added the following note to the registry:</t> | |||
<blockquote>New values must not be directly added to the "iana-ssh-mac-a lgs" | <blockquote>New values must not be directly added to the "iana-ssh-mac-a lgs" | |||
YANG module. They must instead be added to the "MAC Algorithm Names" | YANG module. They must instead be added to the "MAC Algorithm Names" | |||
sub-registry of the | registry of the | |||
"Secure Shell (SSH) Protocol Parameters" registry <xref target="IANA-M | "Secure Shell (SSH) Protocol Parameters" registry group <xref target=" | |||
AC-ALGS"/>.</blockquote> | IANA-MAC-ALGS"/>.</blockquote> | |||
<t>When a value is added to the "MAC Algorithm Names" sub-registry, a ne | <t>When a value is added to the "MAC Algorithm Names" registry, a new "e | |||
w "enum" | num" | |||
statement must be added to the "iana-ssh-mac-algs" YANG module. The | statement must be added to the "iana-ssh-mac-algs" YANG module. The | |||
"enum" statement, and sub-statements thereof, should be defined as fol lows:</t> | "enum" statement, and substatements thereof, should be defined as foll ows:</t> | |||
<dl newline="true"> | <dl newline="true"> | |||
<dt>enum</dt> | <dt>enum</dt> | |||
<dd>Replicates a name from the registry.</dd> | <dd>Replicates a name from the registry.</dd> | |||
<dt>value</dt> | <dt>value</dt> | |||
<dd>Contains the decimal value of the IANA-assigned value.</dd> | <dd>Contains the decimal value of the IANA-assigned value.</dd> | |||
<dt>status</dt> | <dt>status</dt> | |||
<dd>Include only if a registration has been deprecated or obsoleted.</ dd> | <dd>Include only if a registration has been deprecated or obsoleted.</ dd> | |||
<dt>description</dt> | <dt>description</dt> | |||
<dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | <dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | |||
a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | |||
<dt>reference</dt> | <dt>reference</dt> | |||
<dd>Replicates the reference(s) from the registry with the title of th e | <dd>Replicates the reference(s) from the registry with the title of th e | |||
document(s) added.</dd> | document(s) added.</dd> | |||
</dl> | </dl> | |||
<t>Unassigned or reserved values are not present in the module.</t> | <t>Unassigned or reserved values are not present in the module.</t> | |||
<t>When the "iana-ssh-mac-algs" YANG module is updated, a new "revision" statement | <t>When the "iana-ssh-mac-algs" YANG module is updated, a new "revision" statement | |||
with a unique revision date must be added in front of the existing rev ision statements. | with a unique revision date must be added in front of the existing rev ision statements. | |||
The "revision" must have a "description" statement explaining why the | The "revision" must have a "description" statement explaining why the | |||
the update occurred, and must have a "reference" substatement that poi nts to the | update occurred and must have a "reference" substatement that points t o the | |||
document defining the registry update that resulted in this change. Fo r instance:</t> | document defining the registry update that resulted in this change. Fo r instance:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yang"><![CDATA[ | |||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
}]]></artwork> | }]]></sourcecode> | |||
<t>IANA is requested to add the following note to the "MAC Algorithm Nam | <t>IANA has added the following note to the "MAC Algorithm Names" regist | |||
es" sub-registry.</t> | ry.</t> | |||
<blockquote>When this registry is modified, the YANG module "iana-ssh-ma c-algs" | <blockquote>When this registry is modified, the YANG module "iana-ssh-ma c-algs" | |||
<xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C EEEE.</blockquote> | <xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C 9644.</blockquote> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-public-key-algs" Module</name> | <name>Considerations for the "iana-ssh-public-key-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | <t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | |||
<t>This document presents a script (see <xref target="iana-script"/>) fo r | <t>This document presents a script (see <xref target="iana-script"/>) fo r | |||
IANA to use to generate the IANA-maintained "iana-ssh-public-key-algs" YANG module. | IANA to use to generate the IANA-maintained "iana-ssh-public-key-algs" YANG module. | |||
The most recent version of the YANG module is available from the "YANG | The most recent version of the YANG module is available in the "YANG P | |||
Parameters" | arameters" | |||
registry <xref target="IANA-YANG-PARAMETERS"/>.</t> | registry group <xref target="IANA-YANG-PARAMETERS"/>.</t> | |||
<t>IANA is requested to add the following note to the registry:</t> | <t>IANA has added the following note to the registry:</t> | |||
<blockquote>New values must not be directly added to the "iana-ssh-publi c-key-algs" | <blockquote>New values must not be directly added to the "iana-ssh-publi c-key-algs" | |||
YANG module. They must instead be added to the "Public Key Algorithm | YANG module. They must instead be added to the "Public Key Algorithm | |||
Names" sub-registry of the | Names" registry of the | |||
"Secure Shell (SSH) Protocol Parameters" registry <xref target="IANA-P | "Secure Shell (SSH) Protocol Parameters" registry group <xref target=" | |||
UBKEY-ALGS"/>.</blockquote> | IANA-PUBKEY-ALGS"/>.</blockquote> | |||
<t>When a value is added to the "Public Key Algorithm Names" sub-registr | <t>When a value is added to the "Public Key Algorithm Names" registry, a | |||
y, a new "enum" | new "enum" | |||
statement must be added to the "iana-ssh-public-key-algs" YANG module. The | statement must be added to the "iana-ssh-public-key-algs" YANG module. The | |||
"enum" statement, and sub-statements thereof, should be defined as fol lows:</t> | "enum" statement, and substatements thereof, should be defined as foll ows:</t> | |||
<dl newline="true"> | <dl newline="true"> | |||
<dt>enum</dt> | <dt>enum</dt> | |||
<dd>Replicates a name from the registry.</dd> | <dd>Replicates a name from the registry.</dd> | |||
<dt>value</dt> | <dt>value</dt> | |||
<dd>Contains the decimal value of the IANA-assigned value.</dd> | <dd>Contains the decimal value of the IANA-assigned value.</dd> | |||
<dt>status</dt> | <dt>status</dt> | |||
<dd>Include only if a registration has been deprecated or obsoleted.</ dd> | <dd>Include only if a registration has been deprecated or obsoleted.</ dd> | |||
<dt>description</dt> | <dt>description</dt> | |||
<dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | <dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | |||
a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | |||
<dt>reference</dt> | <dt>reference</dt> | |||
<dd>Replicates the reference(s) from the registry with the title of th e | <dd>Replicates the reference(s) from the registry with the title of th e | |||
document(s) added.</dd> | document(s) added.</dd> | |||
</dl> | </dl> | |||
<t>In the case that the algorithm name ends with "-*", the familiy of en | <t>In the case that the algorithm name ends with "-*", the family of enu | |||
umerations | merations | |||
must be added. The familiy of enum algorithm names are generated by r | must be added. The family of enum algorithm names are generated by re | |||
eplacing | placing | |||
the '*' character with these strings: "nistp256", "nistp384", "nistp52 | the "*" character with these strings: "nistp256", "nistp384", "nistp52 | |||
1", | 1", | |||
"1.3.132.0.1", "1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | "1.3.132.0.1", "1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | |||
"1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and "1 .3.132.0.38".</t> | "1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and "1 .3.132.0.38".</t> | |||
<t>Unassigned or reserved values are not present in the module.</t> | <t>Unassigned or reserved values are not present in the module.</t> | |||
<t>When the "iana-ssh-public-key-algs" YANG module is updated, a new "re vision" statement | <t>When the "iana-ssh-public-key-algs" YANG module is updated, a new "re vision" statement | |||
with a unique revision date must be added in front of the existing rev ision statements. | with a unique revision date must be added in front of the existing rev ision statements. | |||
The "revision" must have a "description" statement explaining why the | The "revision" must have a "description" statement explaining why the | |||
the update occurred, and must have a "reference" substatement that poi nts to the | update occurred and must have a "reference" substatement that points t o the | |||
document defining the registry update that resulted in this change. Fo r instance:</t> | document defining the registry update that resulted in this change. Fo r instance:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yang"><![CDATA[ | |||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
}]]></artwork> | }]]></sourcecode> | |||
<t>IANA is requested to add the following note to the "Public Key Algori | <t>IANA has added the following note to the "Public Key Algorithm Names" | |||
thm Names" sub-registry.</t> | registry.</t> | |||
<blockquote>When this registry is modified, the YANG module "iana-ssh-pu blic-key-algs" | <blockquote>When this registry is modified, the YANG module "iana-ssh-pu blic-key-algs" | |||
<xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C EEEE.</blockquote> | <xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C 9644.</blockquote> | |||
</section> | </section> | |||
<section> | <section> | |||
<name>Considerations for the "iana-ssh-key-exchange-algs" Module</name> | <name>Considerations for the "iana-ssh-key-exchange-algs" Module</name> | |||
<t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | <t>This section follows the template defined in <xref section="4.30.3.1" target="I-D.ietf-netmod-rfc8407bis"/>.</t> | |||
<t>This document presents a script (see <xref target="iana-script"/>) fo r | <t>This document presents a script (see <xref target="iana-script"/>) fo r | |||
IANA to use to generate the IANA-maintained "iana-ssh-key-exchange-alg s" YANG module. | IANA to use to generate the IANA-maintained "iana-ssh-key-exchange-alg s" YANG module. | |||
The most recent version of the YANG module is available from the "YANG | The most recent version of the YANG module is available in the "YANG P | |||
Parameters" | arameters" | |||
registry <xref target="IANA-YANG-PARAMETERS"/>.</t> | registry group <xref target="IANA-YANG-PARAMETERS"/>.</t> | |||
<t>IANA is requested to add the following note to the registry:</t> | <t>IANA has added the following note to the registry:</t> | |||
<blockquote>New values must not be directly added to the "iana-ssh-key-e xchange-algs" | <blockquote>New values must not be directly added to the "iana-ssh-key-e xchange-algs" | |||
YANG module. They must instead be added to the "Key Exchange Method N | YANG module. They must instead be added to the "Key Exchange Method N | |||
ames" sub-registry of the | ames" registry of the | |||
"Secure Shell (SSH) Protocol Parameters" registry <xref target="IANA-K | "Secure Shell (SSH) Protocol Parameters" registry group <xref target=" | |||
EYEX-ALGS"/>.</blockquote> | IANA-KEYEX-ALGS"/>.</blockquote> | |||
<t>When a value is added to the "Key Exchange Method Names" sub-registry | <t>When a value is added to the "Key Exchange Method Names" registry, a | |||
, a new | new | |||
"enum" statement must be added to the "iana-ssh-key-exchange-algs" YAN G module. | "enum" statement must be added to the "iana-ssh-key-exchange-algs" YAN G module. | |||
The "enum" statement, and sub-statements thereof, should be defined as follows:</t> | The "enum" statement, and substatements thereof, should be defined as follows:</t> | |||
<dl newline="true"> | <dl newline="true"> | |||
<dt>enum</dt> | <dt>enum</dt> | |||
<dd>Replicates a name from the registry.</dd> | <dd>Replicates a name from the registry.</dd> | |||
<dt>value</dt> | <dt>value</dt> | |||
<dd>Contains the decimal value of the IANA-assigned value.</dd> | <dd>Contains the decimal value of the IANA-assigned value.</dd> | |||
<dt>status</dt> | <dt>status</dt> | |||
<dd>Include only if a registration has been deprecated or obsoleted. | <dd>Include only if a registration has been deprecated or obsoleted. | |||
An IANA "OK to Implement" containing "SHOULD NOT" maps to YANG stat | An IANA "OK to Implement" containing "<bcp14>SHOULD NOT</bcp14>" ma | |||
us "deprecated". | ps to YANG status "deprecated". | |||
An IANA "OK to Implement" containing "MUST NOT" maps to YANG status | An IANA "OK to Implement" containing "<bcp14>MUST NOT</bcp14>" maps | |||
"obsolete".</dd> | to YANG status "obsolete".</dd> | |||
<dt>description</dt> | <dt>description</dt> | |||
<dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | <dd>Contains "Enumeration for the 'foo-bar' algorithm.", where "foo-ba r" is | |||
a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | a placeholder for the algorithm's name (e.g., "3des-cbc").</dd> | |||
<dt>reference</dt> | <dt>reference</dt> | |||
<dd>Replicates the reference(s) from the registry with the title of th e | <dd>Replicates the reference(s) from the registry with the title of th e | |||
document(s) added.</dd> | document(s) added.</dd> | |||
</dl> | </dl> | |||
<t>In the case that the algorithm name ends with "-*", the familiy of en | <t>In the case that the algorithm name ends with "-*", the family of enu | |||
umerations | merations | |||
must be added. The familiy of enum algorithm names are generated by r | must be added. The family of enum algorithm names are generated by re | |||
eplacing | placing | |||
the '*' character with these strings: "nistp256", "nistp384", "nistp52 | the "*" character with these strings: "nistp256", "nistp384", "nistp52 | |||
1", | 1", | |||
"1.3.132.0.1", "1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | "1.3.132.0.1", "1.2.840.10045.3.1.1", "1.3.132.0.33", "1.3.132.0.26", | |||
"1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and "1 .3.132.0.38".</t> | "1.3.132.0.27", "1.3.132.0.16", "1.3.132.0.36", "1.3.132.0.37", and "1 .3.132.0.38".</t> | |||
<t>Unassigned or reserved values are not present in the module.</t> | <t>Unassigned or reserved values are not present in the module.</t> | |||
<t>When the "iana-ssh-key-exchange-algs" YANG module is updated, a new " revision" statement | <t>When the "iana-ssh-key-exchange-algs" YANG module is updated, a new " revision" statement | |||
with a unique revision date must be added in front of the existing rev ision statements. | with a unique revision date must be added in front of the existing rev ision statements. | |||
The "revision" must have a "description" statement explaining why the | The "revision" must have a "description" statement explaining why the | |||
the update occurred, and must have a "reference" substatement that poi nts to the | update occurred, and must have a "reference" substatement that points to the | |||
document defining the registry update that resulted in this change. Fo r instance:</t> | document defining the registry update that resulted in this change. Fo r instance:</t> | |||
<artwork><![CDATA[ | <sourcecode type="yang"><![CDATA[ | |||
revision 2024-02-02 { | revision 2024-02-02 { | |||
description | description | |||
"This update reflect the update made to the underlying | "This update reflects the update made to the underlying | |||
Foo Bar registry per RFC XXXX."; | Foo Bar registry per RFC XXXX."; | |||
reference | reference | |||
"RFC XXXX: Extend the Foo Bars Registry | "RFC XXXX: Extend the Foo Bars Registry | |||
to Support Something Important"; | to Support Something Important"; | |||
}]]></artwork> | }]]></sourcecode> | |||
<t>IANA is requested to add the following note to the "Key Exchange Meth | <t>IANA has added the following note to the "Key Exchange Method Names" | |||
od Names" sub-registry.</t> | registry.</t> | |||
<blockquote>When this registry is modified, the YANG module "iana-ssh-ke y-exchange-algs" | <blockquote>When this registry is modified, the YANG module "iana-ssh-ke y-exchange-algs" | |||
<xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C EEEE.</blockquote> | <xref target="IANA-YANG-PARAMETERS"/> must be updated as defined in RF C 9644.</blockquote> | |||
</section> | </section> | |||
</section> | </section> | |||
</middle> | </middle> | |||
<back> | <back> | |||
<displayreference target="I-D.ietf-netmod-system-config" to="SYSTEM-CONFIG"/ | ||||
> | ||||
<displayreference target="I-D.ietf-netmod-rfc8407bis" to="YANG-GUIDE"/> | ||||
<displayreference target="I-D.ietf-netconf-http-client-server" to="HTTP-CLIENT-S | ||||
ERVER"/> | ||||
<displayreference target="I-D.ietf-netconf-netconf-client-server" to="NETCONF-CL | ||||
IENT-SERVER"/> | ||||
<displayreference target="I-D.ietf-netconf-restconf-client-server" to="RESTCONF- | ||||
CLIENT-SERVER"/> | ||||
<references> | <references> | |||
<name>References</name> | <name>References</name> | |||
<references> | <references> | |||
<name>Normative References</name> | <name>Normative References</name> | |||
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2 | ||||
119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.21 | |||
<front> | 19.xml"/> | |||
<title>Key words for use in RFCs to Indicate Requirement Levels</tit | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42 | |||
le> | 50.xml"/> | |||
<author fullname="S. Bradner" initials="S." surname="Bradner"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42 | |||
<date month="March" year="1997"/> | 51.xml"/> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42 | |||
<t>In many standards track documents several words are used to sig | 52.xml"/> | |||
nify the requirements in the specification. These words are often capitalized. T | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42 | |||
his document defines these words as they should be interpreted in IETF documents | 53.xml"/> | |||
. This document specifies an Internet Best Current Practices for the Internet Co | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42 | |||
mmunity, and requests discussion and suggestions for improvements.</t> | 54.xml"/> | |||
</abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.60 | |||
</front> | 20.xml"/> | |||
<seriesInfo name="BCP" value="14"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.61 | |||
<seriesInfo name="RFC" value="2119"/> | 87.xml"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC2119"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.62 | |||
</reference> | 41.xml"/> | |||
<reference anchor="RFC4251" target="https://www.rfc-editor.org/info/rfc4 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.62 | |||
251" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4251.xml"> | 42.xml"/> | |||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.69 | |||
<title>The Secure Shell (SSH) Protocol Architecture</title> | 91.xml"/> | |||
<author fullname="T. Ylonen" initials="T." surname="Ylonen"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.73 | |||
<author fullname="C. Lonvick" initials="C." role="editor" surname="L | 17.xml"/> | |||
onvick"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.79 | |||
<date month="January" year="2006"/> | 50.xml"/> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80 | |||
<t>The Secure Shell (SSH) Protocol is a protocol for secure remote | 40.xml"/> | |||
login and other secure network services over an insecure network. This document | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.81 | |||
describes the architecture of the SSH protocol, as well as the notation and ter | 74.xml"/> | |||
minology used in SSH protocol documents. It also discusses the SSH algorithm nam | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83 | |||
ing system that allows local extensions. The SSH protocol consists of three majo | 41.xml"/> | |||
r components: The Transport Layer Protocol provides server authentication, confi | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84 | |||
dentiality, and integrity with perfect forward secrecy. The User Authentication | 46.xml"/> | |||
Protocol authenticates the client to the server. The Connection Protocol multipl | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.90 | |||
exes the encrypted tunnel into several logical channels. Details of these protoc | 00.xml"/> | |||
ols are described in separate documents. [STANDARDS-TRACK]</t> | ||||
</abstract> | <reference anchor="RFC9640" target="https://www.rfc-editor.org/info/rfc96 | |||
</front> | 40"> | |||
<seriesInfo name="RFC" value="4251"/> | <front> | |||
<seriesInfo name="DOI" value="10.17487/RFC4251"/> | <title>YANG Data Types and Groupings for Cryptography</title> | |||
</reference> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
<reference anchor="RFC4252" target="https://www.rfc-editor.org/info/rfc4 | <organization>Watsen Networks</organization> | |||
252" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4252.xml"> | </author> | |||
<front> | <date month="October" year="2024"/> | |||
<title>The Secure Shell (SSH) Authentication Protocol</title> | </front> | |||
<author fullname="T. Ylonen" initials="T." surname="Ylonen"/> | <seriesInfo name="RFC" value="9640"/> | |||
<author fullname="C. Lonvick" initials="C." role="editor" surname="L | <seriesInfo name="DOI" value="10.17487/RFC9640"/> | |||
onvick"/> | </reference> | |||
<date month="January" year="2006"/> | ||||
<abstract> | <reference anchor="RFC9641" target="https://www.rfc-editor.org/info/rfc96 | |||
<t>The Secure Shell Protocol (SSH) is a protocol for secure remote | 41"> | |||
login and other secure network services over an insecure network. This document | <front> | |||
describes the SSH authentication protocol framework and public key, password, a | <title>A YANG Data Model for a Truststore</title> | |||
nd host-based client authentication methods. Additional authentication methods a | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
re described in separate documents. The SSH authentication protocol runs on top | <organization>Watsen Networks</organization> | |||
of the SSH transport layer protocol and provides a single authenticated tunnel f | </author> | |||
or the SSH connection protocol. [STANDARDS-TRACK]</t> | <date month="October" year="2024"/> | |||
</abstract> | </front> | |||
</front> | <seriesInfo name="RFC" value="9641"/> | |||
<seriesInfo name="RFC" value="4252"/> | <seriesInfo name="DOI" value="10.17487/RFC9641"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC4252"/> | </reference> | |||
</reference> | ||||
<reference anchor="RFC4253" target="https://www.rfc-editor.org/info/rfc4 | <reference anchor="RFC9642" target="https://www.rfc-editor.org/info/rfc9 | |||
253" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4253.xml"> | 642"> | |||
<front> | <front> | |||
<title>The Secure Shell (SSH) Transport Layer Protocol</title> | <title>A YANG Data Model for a Keystore</title> | |||
<author fullname="T. Ylonen" initials="T." surname="Ylonen"/> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
<author fullname="C. Lonvick" initials="C." role="editor" surname="L | <organization>Watsen Networks</organization> | |||
onvick"/> | </author> | |||
<date month="January" year="2006"/> | <date month="October" year="2024"/> | |||
<abstract> | </front> | |||
<t>The Secure Shell (SSH) is a protocol for secure remote login an | <seriesInfo name="RFC" value="9642"/> | |||
d other secure network services over an insecure network.</t> | <seriesInfo name="DOI" value="10.17487/RFC9642"/> | |||
<t>This document describes the SSH transport layer protocol, which | </reference> | |||
typically runs on top of TCP/IP. The protocol can be used as a basis for a numb | ||||
er of secure network services. It provides strong encryption, server authenticat | ||||
ion, and integrity protection. It may also provide compression.</t> | ||||
<t>Key exchange method, public key algorithm, symmetric encryption | ||||
algorithm, message authentication algorithm, and hash algorithm are all negotia | ||||
ted.</t> | ||||
<t>This document also describes the Diffie-Hellman key exchange me | ||||
thod and the minimal set of algorithms that are needed to implement the SSH tran | ||||
sport layer protocol. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4253"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4253"/> | ||||
</reference> | ||||
<reference anchor="RFC4254" target="https://www.rfc-editor.org/info/rfc4 | ||||
254" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4254.xml"> | ||||
<front> | ||||
<title>The Secure Shell (SSH) Connection Protocol</title> | ||||
<author fullname="T. Ylonen" initials="T." surname="Ylonen"/> | ||||
<author fullname="C. Lonvick" initials="C." role="editor" surname="L | ||||
onvick"/> | ||||
<date month="January" year="2006"/> | ||||
<abstract> | ||||
<t>Secure Shell (SSH) is a protocol for secure remote login and ot | ||||
her secure network services over an insecure network.</t> | ||||
<t>This document describes the SSH Connection Protocol. It provide | ||||
s interactive login sessions, remote execution of commands, forwarded TCP/IP con | ||||
nections, and forwarded X11 connections. All of these channels are multiplexed i | ||||
nto a single encrypted tunnel.</t> | ||||
<t>The SSH Connection Protocol has been designed to run on top of | ||||
the SSH transport layer and user authentication protocols. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4254"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4254"/> | ||||
</reference> | ||||
<reference anchor="RFC4344" target="https://www.rfc-editor.org/info/rfc4 | ||||
344" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4344.xml"> | ||||
<front> | ||||
<title>The Secure Shell (SSH) Transport Layer Encryption Modes</titl | ||||
e> | ||||
<author fullname="M. Bellare" initials="M." surname="Bellare"/> | ||||
<author fullname="T. Kohno" initials="T." surname="Kohno"/> | ||||
<author fullname="C. Namprempre" initials="C." surname="Namprempre"/ | ||||
> | ||||
<date month="January" year="2006"/> | ||||
<abstract> | ||||
<t>Researchers have discovered that the authenticated encryption p | ||||
ortion of the current SSH Transport Protocol is vulnerable to several attacks.</ | ||||
t> | ||||
<t>This document describes new symmetric encryption methods for th | ||||
e Secure Shell (SSH) Transport Protocol and gives specific recommendations on ho | ||||
w frequently SSH implementations should rekey. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4344"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4344"/> | ||||
</reference> | ||||
<reference anchor="RFC4419" target="https://www.rfc-editor.org/info/rfc4 | ||||
419" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4419.xml"> | ||||
<front> | ||||
<title>Diffie-Hellman Group Exchange for the Secure Shell (SSH) Tran | ||||
sport Layer Protocol</title> | ||||
<author fullname="M. Friedl" initials="M." surname="Friedl"/> | ||||
<author fullname="N. Provos" initials="N." surname="Provos"/> | ||||
<author fullname="W. Simpson" initials="W." surname="Simpson"/> | ||||
<date month="March" year="2006"/> | ||||
<abstract> | ||||
<t>This memo describes a new key exchange method for the Secure Sh | ||||
ell (SSH) protocol. It allows the SSH server to propose new groups on which to p | ||||
erform the Diffie-Hellman key exchange to the client. The proposed groups need n | ||||
ot be fixed and can change with time. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4419"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4419"/> | ||||
</reference> | ||||
<reference anchor="RFC4432" target="https://www.rfc-editor.org/info/rfc4 | ||||
432" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4432.xml"> | ||||
<front> | ||||
<title>RSA Key Exchange for the Secure Shell (SSH) Transport Layer P | ||||
rotocol</title> | ||||
<author fullname="B. Harris" initials="B." surname="Harris"/> | ||||
<date month="March" year="2006"/> | ||||
<abstract> | ||||
<t>This memo describes a key-exchange method for the Secure Shell | ||||
(SSH) protocol based on Rivest-Shamir-Adleman (RSA) public-key encryption. It us | ||||
es much less client CPU time than the Diffie-Hellman algorithm specified as part | ||||
of the core protocol, and hence is particularly suitable for slow client system | ||||
s. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4432"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4432"/> | ||||
</reference> | ||||
<reference anchor="RFC4462" target="https://www.rfc-editor.org/info/rfc4 | ||||
462" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4462.xml"> | ||||
<front> | ||||
<title>Generic Security Service Application Program Interface (GSS-A | ||||
PI) Authentication and Key Exchange for the Secure Shell (SSH) Protocol</title> | ||||
<author fullname="J. Hutzelman" initials="J." surname="Hutzelman"/> | ||||
<author fullname="J. Salowey" initials="J." surname="Salowey"/> | ||||
<author fullname="J. Galbraith" initials="J." surname="Galbraith"/> | ||||
<author fullname="V. Welch" initials="V." surname="Welch"/> | ||||
<date month="May" year="2006"/> | ||||
<abstract> | ||||
<t>The Secure Shell protocol (SSH) is a protocol for secure remote | ||||
login and other secure network services over an insecure network.</t> | ||||
<t>The Generic Security Service Application Program Interface (GSS | ||||
-API) provides security services to callers in a mechanism-independent fashion.< | ||||
/t> | ||||
<t>This memo describes methods for using the GSS-API for authentic | ||||
ation and key exchange in SSH. It defines an SSH user authentication method that | ||||
uses a specified GSS-API mechanism to authenticate a user, and a family of SSH | ||||
key exchange methods that use GSS-API to authenticate a Diffie-Hellman key excha | ||||
nge.</t> | ||||
<t>This memo also defines a new host public key algorithm that can | ||||
be used when no operations are needed using a host's public key, and a new user | ||||
authentication method that allows an authorization name to be used in conjuncti | ||||
on with any authentication that has already occurred as a side-effect of GSS-API | ||||
-based key exchange. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="4462"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC4462"/> | ||||
</reference> | ||||
<reference anchor="RFC5647" target="https://www.rfc-editor.org/info/rfc5 | ||||
647" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5647.xml"> | ||||
<front> | ||||
<title>AES Galois Counter Mode for the Secure Shell Transport Layer | ||||
Protocol</title> | ||||
<author fullname="K. Igoe" initials="K." surname="Igoe"/> | ||||
<author fullname="J. Solinas" initials="J." surname="Solinas"/> | ||||
<date month="August" year="2009"/> | ||||
<abstract> | ||||
<t>Secure shell (SSH) is a secure remote-login protocol. SSH provi | ||||
des for algorithms that provide authentication, key agreement, confidentiality, | ||||
and data-integrity services. The purpose of this document is to show how the AES | ||||
Galois Counter Mode can be used to provide both confidentiality and data integr | ||||
ity to the SSH Transport Layer Protocol. This memo provides information for the | ||||
Internet community.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5647"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5647"/> | ||||
</reference> | ||||
<reference anchor="RFC5656" target="https://www.rfc-editor.org/info/rfc5 | ||||
656" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5656.xml"> | ||||
<front> | ||||
<title>Elliptic Curve Algorithm Integration in the Secure Shell Tran | ||||
sport Layer</title> | ||||
<author fullname="D. Stebila" initials="D." surname="Stebila"/> | ||||
<author fullname="J. Green" initials="J." surname="Green"/> | ||||
<date month="December" year="2009"/> | ||||
<abstract> | ||||
<t>This document describes algorithms based on Elliptic Curve Cryp | ||||
tography (ECC) for use within the Secure Shell (SSH) transport protocol. In part | ||||
icular, it specifies Elliptic Curve Diffie-Hellman (ECDH) key agreement, Ellipti | ||||
c Curve Menezes-Qu-Vanstone (ECMQV) key agreement, and Elliptic Curve Digital Si | ||||
gnature Algorithm (ECDSA) for use in the SSH Transport Layer protocol. [STANDARD | ||||
S-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5656"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5656"/> | ||||
</reference> | ||||
<reference anchor="RFC6020" target="https://www.rfc-editor.org/info/rfc6 | ||||
020" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"> | ||||
<front> | ||||
<title>YANG - A Data Modeling Language for the Network Configuration | ||||
Protocol (NETCONF)</title> | ||||
<author fullname="M. Bjorklund" initials="M." role="editor" surname= | ||||
"Bjorklund"/> | ||||
<date month="October" year="2010"/> | ||||
<abstract> | ||||
<t>YANG is a data modeling language used to model configuration an | ||||
d state data manipulated by the Network Configuration Protocol (NETCONF), NETCON | ||||
F remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6020"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6020"/> | ||||
</reference> | ||||
<reference anchor="RFC6187" target="https://www.rfc-editor.org/info/rfc6 | ||||
187" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6187.xml"> | ||||
<front> | ||||
<title>X.509v3 Certificates for Secure Shell Authentication</title> | ||||
<author fullname="K. Igoe" initials="K." surname="Igoe"/> | ||||
<author fullname="D. Stebila" initials="D." surname="Stebila"/> | ||||
<date month="March" year="2011"/> | ||||
<abstract> | ||||
<t>X.509 public key certificates use a signature by a trusted cert | ||||
ification authority to bind a given public key to a given digital identity. This | ||||
document specifies how to use X.509 version 3 public key certificates in public | ||||
key algorithms in the Secure Shell protocol. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6187"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6187"/> | ||||
</reference> | ||||
<reference anchor="RFC6668" target="https://www.rfc-editor.org/info/rfc6 | ||||
668" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6668.xml"> | ||||
<front> | ||||
<title>SHA-2 Data Integrity Verification for the Secure Shell (SSH) | ||||
Transport Layer Protocol</title> | ||||
<author fullname="D. Bider" initials="D." surname="Bider"/> | ||||
<author fullname="M. Baushke" initials="M." surname="Baushke"/> | ||||
<date month="July" year="2012"/> | ||||
<abstract> | ||||
<t>This memo defines algorithm names and parameters for use in som | ||||
e of the SHA-2 family of secure hash algorithms for data integrity verification | ||||
in the Secure Shell (SSH) protocol. It also updates RFC 4253 by specifying a new | ||||
RECOMMENDED data integrity algorithm. [STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6668"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6668"/> | ||||
</reference> | ||||
<reference anchor="RFC7317" target="https://www.rfc-editor.org/info/rfc7 | ||||
317" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7317.xml"> | ||||
<front> | ||||
<title>A YANG Data Model for System Management</title> | ||||
<author fullname="A. Bierman" initials="A." surname="Bierman"/> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<date month="August" year="2014"/> | ||||
<abstract> | ||||
<t>This document defines a YANG data model for the configuration a | ||||
nd identification of some common system properties within a device containing a | ||||
Network Configuration Protocol (NETCONF) server. This document also includes dat | ||||
a node definitions for system identification, time-of-day management, user manag | ||||
ement, DNS resolver configuration, and some protocol operations for system manag | ||||
ement.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7317"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7317"/> | ||||
</reference> | ||||
<reference anchor="RFC7950" target="https://www.rfc-editor.org/info/rfc7 | ||||
950" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"> | ||||
<front> | ||||
<title>The YANG 1.1 Data Modeling Language</title> | ||||
<author fullname="M. Bjorklund" initials="M." role="editor" surname= | ||||
"Bjorklund"/> | ||||
<date month="August" year="2016"/> | ||||
<abstract> | ||||
<t>YANG is a data modeling language used to model configuration da | ||||
ta, state data, Remote Procedure Calls, and notifications for network management | ||||
protocols. This document describes the syntax and semantics of version 1.1 of t | ||||
he YANG language. YANG version 1.1 is a maintenance release of the YANG language | ||||
, addressing ambiguities and defects in the original specification. There are a | ||||
small number of backward incompatibilities from YANG version 1. This document al | ||||
so specifies the YANG mappings to the Network Configuration Protocol (NETCONF).< | ||||
/t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7950"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7950"/> | ||||
</reference> | ||||
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8 | ||||
174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> | ||||
<front> | ||||
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti | ||||
tle> | ||||
<author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
<date month="May" year="2017"/> | ||||
<abstract> | ||||
<t>RFC 2119 specifies common key words that may be used in protoco | ||||
l specifications. This document aims to reduce the ambiguity by clarifying that | ||||
only UPPERCASE usage of the key words have the defined special meanings.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="14"/> | ||||
<seriesInfo name="RFC" value="8174"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8174"/> | ||||
</reference> | ||||
<reference anchor="RFC8268" target="https://www.rfc-editor.org/info/rfc8 | ||||
268" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8268.xml"> | ||||
<front> | ||||
<title>More Modular Exponentiation (MODP) Diffie-Hellman (DH) Key Ex | ||||
change (KEX) Groups for Secure Shell (SSH)</title> | ||||
<author fullname="M. Baushke" initials="M." surname="Baushke"/> | ||||
<date month="December" year="2017"/> | ||||
<abstract> | ||||
<t>This document defines added Modular Exponentiation (MODP) group | ||||
s for the Secure Shell (SSH) protocol using SHA-2 hashes. This document updates | ||||
RFC 4250. This document updates RFC 4253 by correcting an error regarding checki | ||||
ng the Peer's DH Public Key.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8268"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8268"/> | ||||
</reference> | ||||
<reference anchor="RFC8308" target="https://www.rfc-editor.org/info/rfc8 | ||||
308" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8308.xml"> | ||||
<front> | ||||
<title>Extension Negotiation in the Secure Shell (SSH) Protocol</tit | ||||
le> | ||||
<author fullname="D. Bider" initials="D." surname="Bider"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>This memo updates RFCs 4251, 4252, 4253, and 4254 by defining a | ||||
mechanism for Secure Shell (SSH) clients and servers to exchange information ab | ||||
out supported protocol extensions confidentially after SSH key exchange.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8308"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8308"/> | ||||
</reference> | ||||
<reference anchor="RFC8332" target="https://www.rfc-editor.org/info/rfc8 | ||||
332" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8332.xml"> | ||||
<front> | ||||
<title>Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | ||||
(SSH) Protocol</title> | ||||
<author fullname="D. Bider" initials="D." surname="Bider"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>This memo updates RFCs 4252 and 4253 to define new public key a | ||||
lgorithms for use of RSA keys with SHA-256 and SHA-512 for server and client aut | ||||
hentication in SSH connections.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8332"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8332"/> | ||||
</reference> | ||||
<reference anchor="RFC8341" target="https://www.rfc-editor.org/info/rfc8 | ||||
341" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8341.xml"> | ||||
<front> | ||||
<title>Network Configuration Access Control Model</title> | ||||
<author fullname="A. Bierman" initials="A." surname="Bierman"/> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>The standardization of network configuration interfaces for use | ||||
with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requ | ||||
ires a structured and secure operating environment that promotes human usability | ||||
and multi-vendor interoperability. There is a need for standard mechanisms to r | ||||
estrict NETCONF or RESTCONF protocol access for particular users to a preconfigu | ||||
red subset of all available NETCONF or RESTCONF protocol operations and content. | ||||
This document defines such an access control model.</t> | ||||
<t>This document obsoletes RFC 6536.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="STD" value="91"/> | ||||
<seriesInfo name="RFC" value="8341"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8341"/> | ||||
</reference> | ||||
<reference anchor="RFC8709" target="https://www.rfc-editor.org/info/rfc8 | ||||
709" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8709.xml"> | ||||
<front> | ||||
<title>Ed25519 and Ed448 Public Key Algorithms for the Secure Shell | ||||
(SSH) Protocol</title> | ||||
<author fullname="B. Harris" initials="B." surname="Harris"/> | ||||
<author fullname="L. Velvindron" initials="L." surname="Velvindron"/ | ||||
> | ||||
<date month="February" year="2020"/> | ||||
<abstract> | ||||
<t>This document describes the use of the Ed25519 and Ed448 digita | ||||
l signature algorithms in the Secure Shell (SSH) protocol. Accordingly, this RFC | ||||
updates RFC 4253.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8709"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8709"/> | ||||
</reference> | ||||
<reference anchor="RFC8731" target="https://www.rfc-editor.org/info/rfc8 | ||||
731" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8731.xml"> | ||||
<front> | ||||
<title>Secure Shell (SSH) Key Exchange Method Using Curve25519 and C | ||||
urve448</title> | ||||
<author fullname="A. Adamantiadis" initials="A." surname="Adamantiad | ||||
is"/> | ||||
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/> | ||||
<author fullname="M. Baushke" initials="M." surname="Baushke"/> | ||||
<date month="February" year="2020"/> | ||||
<abstract> | ||||
<t>This document describes the specification for using Curve25519 | ||||
and Curve448 key exchange methods in the Secure Shell (SSH) protocol.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8731"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8731"/> | ||||
</reference> | ||||
<reference anchor="RFC8732" target="https://www.rfc-editor.org/info/rfc8 | ||||
732" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8732.xml"> | ||||
<front> | ||||
<title>Generic Security Service Application Program Interface (GSS-A | ||||
PI) Key Exchange with SHA-2</title> | ||||
<author fullname="S. Sorce" initials="S." surname="Sorce"/> | ||||
<author fullname="H. Kario" initials="H." surname="Kario"/> | ||||
<date month="February" year="2020"/> | ||||
<abstract> | ||||
<t>This document specifies additions and amendments to RFC 4462. I | ||||
t defines a new key exchange method that uses SHA-2 for integrity and deprecates | ||||
weak Diffie-Hellman (DH) groups. The purpose of this specification is to modern | ||||
ize the cryptographic primitives used by Generic Security Service (GSS) key exch | ||||
anges.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8732"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8732"/> | ||||
</reference> | ||||
<reference anchor="RFC8758" target="https://www.rfc-editor.org/info/rfc8 | ||||
758" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8758.xml"> | ||||
<front> | ||||
<title>Deprecating RC4 in Secure Shell (SSH)</title> | ||||
<author fullname="L. Velvindron" initials="L." surname="Velvindron"/ | ||||
> | ||||
<date month="April" year="2020"/> | ||||
<abstract> | ||||
<t>This document deprecates RC4 in Secure Shell (SSH). Therefore, | ||||
this document formally moves RFC 4345 to Historic status.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="227"/> | ||||
<seriesInfo name="RFC" value="8758"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8758"/> | ||||
</reference> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-crypto-types.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-trust-anchors.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-keystore.xml"/> | ||||
</references> | </references> | |||
<references> | <references> | |||
<name>Informative References</name> | <name>Informative References</name> | |||
<!--<reference anchor='FIPS180-4' target="http://csrc.nist.gov/publicati | ||||
ons/fips/fips180-4/fips-180-4.pdf"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.36 | |||
<front> | 88.xml"/> | |||
<title>Secure Hash Standard (SHS)</title> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80 | |||
<author fullname='National Institute of Standards and Technology'/> | 71.xml"/> | |||
<date year='2012' month='March'/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.82 | |||
</front> | 59.xml"/> | |||
<seriesInfo name="FIPS PUB" value="180-4"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83 | |||
</reference>--> | 40.xml"/> | |||
<reference anchor="RFC3688" target="https://www.rfc-editor.org/info/rfc368 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83 | |||
8" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"> | 42.xml"/> | |||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.84 | |||
<title>The IETF XML Registry</title> | 07.xml"/> | |||
<author fullname="M. Mealling" initials="M." surname="Mealling"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.87 | |||
<date month="January" year="2004"/> | 92.xml"/> | |||
<abstract> | ||||
<t>This document describes an IANA maintained registry for IETF st | <reference anchor="RFC9643" target="https://www.rfc-editor.org/info/rfc9 | |||
andards which use Extensible Markup Language (XML) related items such as Namespa | 643"> | |||
ces, Document Type Declarations (DTDs), Schemas, and Resource Description Framew | <front> | |||
ork (RDF) Schemas.</t> | <title>YANG Groupings for TCP Clients and TCP Servers</title> | |||
</abstract> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
</front> | <organization>Watsen Networks</organization> | |||
<seriesInfo name="BCP" value="81"/> | </author> | |||
<seriesInfo name="RFC" value="3688"/> | <author initials="M." surname="Scharf" fullname="Michael Scharf"> | |||
<seriesInfo name="DOI" value="10.17487/RFC3688"/> | <organization>Hochschule Esslingen - University of Applied Sciences | |||
</reference> | </organization> | |||
<reference anchor="RFC6241" target="https://www.rfc-editor.org/info/rfc6 | </author> | |||
241" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"> | <date month="October" year="2024"/> | |||
<front> | </front> | |||
<title>Network Configuration Protocol (NETCONF)</title> | <seriesInfo name="RFC" value="9643"/> | |||
<author fullname="R. Enns" initials="R." role="editor" surname="Enns | <seriesInfo name="DOI" value="10.17487/RFC9643"/> | |||
"/> | </reference> | |||
<author fullname="M. Bjorklund" initials="M." role="editor" surname= | ||||
"Bjorklund"/> | <reference anchor="RFC9645" target="https://www.rfc-editor.org/info/rfc9 | |||
<author fullname="J. Schoenwaelder" initials="J." role="editor" surn | 645"> | |||
ame="Schoenwaelder"/> | <front> | |||
<author fullname="A. Bierman" initials="A." role="editor" surname="B | <title>YANG Groupings for TLS Clients and TLS Servers</title> | |||
ierman"/> | <author initials="K." surname="Watsen" fullname="Kent Watsen"> | |||
<date month="June" year="2011"/> | <organization>Watsen Networks</organization> | |||
<abstract> | </author> | |||
<t>The Network Configuration Protocol (NETCONF) defined in this do | <date month="October" year="2024"/> | |||
cument provides mechanisms to install, manipulate, and delete the configuration | </front> | |||
of network devices. It uses an Extensible Markup Language (XML)-based data encod | <seriesInfo name="RFC" value="9645"/> | |||
ing for the configuration data as well as the protocol messages. The NETCONF pro | <seriesInfo name="DOI" value="10.17487/RFC9645"/> | |||
tocol operations are realized as remote procedure calls (RPCs). This document ob | </reference> | |||
soletes RFC 4741. [STANDARDS-TRACK]</t> | ||||
</abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-net | |||
</front> | conf-http-client-server"/> | |||
<seriesInfo name="RFC" value="6241"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6241"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-net | |||
</reference> | conf-netconf-client-server"/> | |||
<reference anchor="RFC6242" target="https://www.rfc-editor.org/info/rfc6 | ||||
242" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6242.xml"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-net | |||
<front> | conf-restconf-client-server"/> | |||
<title>Using the NETCONF Protocol over Secure Shell (SSH)</title> | ||||
<author fullname="M. Wasserman" initials="M." surname="Wasserman"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D. | |||
<date month="June" year="2011"/> | ietf-netmod-system-config.xml"/> | |||
<abstract> | ||||
<t>This document describes a method for invoking and running the N | <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D. | |||
etwork Configuration Protocol (NETCONF) within a Secure Shell (SSH) session as a | ietf-netmod-rfc8407bis.xml"/> | |||
n SSH subsystem. This document obsoletes RFC 4742. [STANDARDS-TRACK]</t> | ||||
</abstract> | <reference anchor="FIPS_186-5" target="https://csrc.nist.gov/pubs/fips/1 | |||
</front> | 86-5/final"> | |||
<seriesInfo name="RFC" value="6242"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6242"/> | ||||
</reference> | ||||
<reference anchor="RFC8040" target="https://www.rfc-editor.org/info/rfc8 | ||||
040" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"> | ||||
<front> | ||||
<title>RESTCONF Protocol</title> | ||||
<author fullname="A. Bierman" initials="A." surname="Bierman"/> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<author fullname="K. Watsen" initials="K." surname="Watsen"/> | ||||
<date month="January" year="2017"/> | ||||
<abstract> | ||||
<t>This document describes an HTTP-based protocol that provides a | ||||
programmatic interface for accessing data defined in YANG, using the datastore c | ||||
oncepts defined in the Network Configuration Protocol (NETCONF).</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8040"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8040"/> | ||||
</reference> | ||||
<reference anchor="RFC8071" target="https://www.rfc-editor.org/info/rfc8 | ||||
071" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8071.xml"> | ||||
<front> | ||||
<title>NETCONF Call Home and RESTCONF Call Home</title> | ||||
<author fullname="K. Watsen" initials="K." surname="Watsen"/> | ||||
<date month="February" year="2017"/> | ||||
<abstract> | ||||
<t>This RFC presents NETCONF Call Home and RESTCONF Call Home, whi | ||||
ch enable a NETCONF or RESTCONF server to initiate a secure connection to a NETC | ||||
ONF or RESTCONF client, respectively.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8071"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8071"/> | ||||
</reference> | ||||
<reference anchor="RFC8340" target="https://www.rfc-editor.org/info/rfc8 | ||||
340" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml"> | ||||
<front> | ||||
<title>YANG Tree Diagrams</title> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<author fullname="L. Berger" initials="L." role="editor" surname="Be | ||||
rger"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>This document captures the current syntax used in YANG module t | ||||
ree diagrams. The purpose of this document is to provide a single location for t | ||||
his definition. This syntax may be updated from time to time based on the evolut | ||||
ion of the YANG language.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="215"/> | ||||
<seriesInfo name="RFC" value="8340"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8340"/> | ||||
</reference> | ||||
<reference anchor="RFC8342" target="https://www.rfc-editor.org/info/rfc8 | ||||
342" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8342.xml"> | ||||
<front> | ||||
<title>Network Management Datastore Architecture (NMDA)</title> | ||||
<author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> | ||||
<author fullname="J. Schoenwaelder" initials="J." surname="Schoenwae | ||||
lder"/> | ||||
<author fullname="P. Shafer" initials="P." surname="Shafer"/> | ||||
<author fullname="K. Watsen" initials="K." surname="Watsen"/> | ||||
<author fullname="R. Wilton" initials="R." surname="Wilton"/> | ||||
<date month="March" year="2018"/> | ||||
<abstract> | ||||
<t>Datastores are a fundamental concept binding the data models wr | ||||
itten in the YANG data modeling language to network management protocols such as | ||||
the Network Configuration Protocol (NETCONF) and RESTCONF. This document define | ||||
s an architectural framework for datastores based on the experience gained with | ||||
the initial simpler model, addressing requirements that were not well supported | ||||
in the initial model. This document updates RFC 7950.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8342"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8342"/> | ||||
</reference> | ||||
<reference anchor="RFC8407" target="https://www.rfc-editor.org/info/rfc8 | ||||
407" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8407.xml"> | ||||
<front> | ||||
<title>Guidelines for Authors and Reviewers of Documents Containing | ||||
YANG Data Models</title> | ||||
<author fullname="A. Bierman" initials="A." surname="Bierman"/> | ||||
<date month="October" year="2018"/> | ||||
<abstract> | ||||
<t>This memo provides guidelines for authors and reviewers of spec | ||||
ifications containing YANG modules. Recommendations and procedures are defined, | ||||
which are intended to increase interoperability and usability of Network Configu | ||||
ration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YAN | ||||
G modules. This document obsoletes RFC 6087.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="216"/> | ||||
<seriesInfo name="RFC" value="8407"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8407"/> | ||||
</reference> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-tcp-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-ssh-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-tls-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-http-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-netconf-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netconf-restconf-client-server.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netmod-system-config.xml"/> | ||||
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D | ||||
.ietf-netmod-rfc8407bis.xml"/> | ||||
<reference anchor="FIPS_186-6" target="https://csrc.nist.gov/publication | ||||
s/detail/fips/186/5/draft"> | ||||
<front> | <front> | |||
<title>Digital Signature Standard (DSS)</title> | <title>Digital Signature Standard (DSS)</title> | |||
<author fullname="The National Institute for Science and Technology | <author> | |||
(NIST)"/> | <organization>NIST</organization> | |||
</author> | ||||
<date month="February" year="2023"/> | ||||
</front> | </front> | |||
<seriesInfo name="FIPS PUB" value="186-5"/> | ||||
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-5"/> | ||||
</reference> | </reference> | |||
<!-- | ||||
<reference anchor="OPENSSH" target="http://www.openssh.com"> | ||||
<front> | ||||
<title>OpenSSH</title> | ||||
<author fullname="The OpenBSD Project"/> | ||||
</front> | ||||
</reference> | ||||
--> | ||||
<reference anchor="IANA-KEYEX-ALGS" target="https://www.iana.org/assignmen ts/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-16"> | <reference anchor="IANA-KEYEX-ALGS" target="https://www.iana.org/assignmen ts/ssh-parameters"> | |||
<front> | <front> | |||
<title>IANA "Key Exchange Method Names" Sub-registry of the "Secure | <title>Key Exchange Method Names</title> | |||
Shell (SSH) Protocol Parameters" Registry</title> | <author> | |||
<author fullname="Internet Assigned Numbers Authority (IANA)"/> | <organization>IANA</organization> | |||
</author> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="IANA-ENC-ALGS" target="https://www.iana.org/assignmen | ||||
ts/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-17"> | <reference anchor="IANA-ENC-ALGS" target="https://www.iana.org/assignmen | |||
ts/ssh-parameters/"> | ||||
<front> | <front> | |||
<title>IANA "Encryption Algorithm Names" Sub-registry of the "Secure | <title>Encryption Algorithm Names</title> | |||
Shell (SSH) Protocol Parameters" Registry</title> | <author> | |||
<author fullname="Internet Assigned Numbers Authority (IANA)"/> | <organization>IANA</organization> | |||
</author> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="IANA-MAC-ALGS" target="https://www.iana.org/assignmen | ||||
ts/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-18"> | <reference anchor="IANA-MAC-ALGS" target="https://www.iana.org/assignmen | |||
ts/ssh-parameters"> | ||||
<front> | <front> | |||
<title>IANA "MAC Algorithm Names" Sub-registry of the "Secure Shell | <title>MAC Algorithm Names</title> | |||
(SSH) Protocol Parameters" Registry</title> | <author> | |||
<author fullname="Internet Assigned Numbers Authority (IANA)"/> | <organization>IANA</organization> | |||
</author> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="IANA-PUBKEY-ALGS" target="https://www.iana.org/assign | ||||
ments/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-19"> | <reference anchor="IANA-PUBKEY-ALGS" target="https://www.iana.org/assign | |||
ments/ssh-parameters/"> | ||||
<front> | <front> | |||
<title>IANA "Public Key Algorithm Names" Sub-registry of the "Secure | <title>Public Key Algorithm Names</title> | |||
Shell (SSH) Protocol Parameters" Registry</title> | <author> | |||
<author fullname="Internet Assigned Numbers Authority (IANA)"/> | <organization>IANA</organization> | |||
</author> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="IANA-YANG-PARAMETERS" target="https://www.iana.org/as signments/yang-parameters"> | <reference anchor="IANA-YANG-PARAMETERS" target="https://www.iana.org/as signments/yang-parameters"> | |||
<front> | <front> | |||
<title>YANG Parameters</title> | <title>YANG Parameters</title> | |||
<author> | <author> | |||
<organization/> | <organization>IANA</organization> | |||
</author> | </author> | |||
<date>n.d.</date> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="W3C.REC-xml-20081126" target="https://www.w3.org/TR/20 | ||||
08/REC-xml-20081126/"> | ||||
<front> | ||||
<title>Extensible Markup Language (XML) 1.0 | ||||
(Fifth Edition)</title> | ||||
<author initials="T." surname="Bray" fullname="Tim Bray"/> | ||||
<author initials="J." surname="Paoli" fullname="Jean Paoli"/> | ||||
<author initials="C.M." surname="Sperberg-McQueen" fullname="C. M. | ||||
Sperberg-McQueen"/> | ||||
<author initials="E." surname="Maler" fullname="Eve Maler"/> | ||||
<author initials="F." surname="Yergeau" fullname="François Yergeau"/> | ||||
<date month="November" year="2008"/> | ||||
</front> | ||||
<seriesInfo name="World Wide Web Consortium | ||||
Recommendation" value="REC-xml-20081126"/> | ||||
</reference> | ||||
</references> | </references> | |||
</references> | </references> | |||
<section anchor="iana-script"> | <section anchor="iana-script"> | |||
<name>Script to Generate IANA-Maintained YANG Modules</name> | <name>Script to Generate IANA-Maintained YANG Modules</name> | |||
<t>This section is not Normative.</t> | <t>This section is not normative.</t> | |||
<t>The Python <eref target="https://www.python.org"/> script contained in | ||||
this | <t>The Python <eref target="https://www.python.org" brackets="angle"/> scr | |||
section will create the four IANA-maintained modules described in this d | ipt contained in this | |||
ocument.</t> | section will create the four IANA-maintained modules that are described | |||
<t>Run the script using the command `python gen-yang-modules.py`, to produ | (but not contained) in this document.</t> | |||
ce four | <t>Run the script using the command "python gen-yang-modules.py" to produc | |||
e four | ||||
YANG module files in the current directory.</t> | YANG module files in the current directory.</t> | |||
<t>Be aware that the script does not attempt to copy the "revision" statem ents | <t>Be aware that the script does not attempt to copy the "revision" statem ents | |||
from the previous/current YANG module. Copying the revision statements must | from the previous/current YANG module. Copying the revision statements must | |||
be done manually.</t> | be done manually.</t> | |||
<sourcecode type="python" markers="true"><![CDATA[ | <sourcecode type="python" markers="true"><![CDATA[ | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
import re | import re | |||
import csv | import csv | |||
import textwrap | import textwrap | |||
import requests | import requests | |||
import requests_cache | import requests_cache | |||
from io import StringIO | from io import StringIO | |||
from datetime import datetime | from datetime import datetime | |||
# Metadata for the four YANG modules produced by this script | # Metadata for the four YANG modules produced by this script | |||
MODULES = [ | MODULES = [ | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-17.csv", | ssh-parameters-17.csv", | |||
"spaced_name": "encryption", | "spaced_name": "encryption", | |||
"hypenated_name": "encryption", | "hypenated_name": "encryption", | |||
"prefix": "sshea", | "prefix": "sshea", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the encryption algorithms | the encryption algorithms | |||
defined in the 'Encryption Algorithm Names' sub-registry of the | defined in the 'Encryption Algorithm Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""", | maintained by IANA.""", | |||
}, | }, | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-19.csv", | ssh-parameters-19.csv", | |||
"spaced_name": "public key", | "spaced_name": "public key", | |||
"hypenated_name": "public-key", | "hypenated_name": "public-key", | |||
"prefix": "sshpka", | "prefix": "sshpka", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the public key algorithms | the public key algorithms | |||
defined in the 'Public Key Algorithm Names' sub-registry of the | defined in the 'Public Key Algorithm Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""" | maintained by IANA.""" | |||
}, | }, | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-18.csv", | ssh-parameters-18.csv", | |||
"spaced_name": "mac", | "spaced_name": "mac", | |||
"hypenated_name": "mac", | "hypenated_name": "mac", | |||
"prefix": "sshma", | "prefix": "sshma", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the MAC algorithms | the MAC algorithms | |||
defined in the 'MAC Algorithm Names' sub-registry of the | defined in the 'MAC Algorithm Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""" | maintained by IANA.""" | |||
}, | }, | |||
{ | { | |||
"csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | "csv_url": "https://www.iana.org/assignments/ssh-parameters/\ | |||
ssh-parameters-16.csv", | ssh-parameters-16.csv", | |||
"spaced_name": "key exchange", | "spaced_name": "key exchange", | |||
"hypenated_name": "key-exchange", | "hypenated_name": "key-exchange", | |||
"prefix": "sshkea", | "prefix": "sshkea", | |||
"description": """ "This module defines enumerations for \ | "description": """ "This module defines enumerations for \ | |||
the key exchange algorithms | the key exchange algorithms | |||
defined in the 'Key Exchange Method Names' sub-registry of the | defined in the 'Key Exchange Method Names' registry of the | |||
'Secure Shell (SSH) Protocol Parameters' registry maintained | 'Secure Shell (SSH) Protocol Parameters' registry group | |||
by IANA.""" | maintained by IANA.""" | |||
}, | }, | |||
] | ] | |||
def create_module_begin(module, f): | def create_module_begin(module, f): | |||
# Define template for all four modules | # Define template for all four modules | |||
PREAMBLE_TEMPLATE=""" | PREAMBLE_TEMPLATE=""" | |||
module iana-ssh-HNAME-algs { | module iana-ssh-HNAME-algs { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-HNAME-algs"; | namespace "urn:ietf:params:xml:ns:yang:iana-ssh-HNAME-algs"; | |||
skipping to change at line 3471 ¶ | skipping to change at line 3093 ¶ | |||
12025 Waterfront Drive, Suite 300 | 12025 Waterfront Drive, Suite 300 | |||
Los Angeles, CA 90094-2536 | Los Angeles, CA 90094-2536 | |||
United States of America | United States of America | |||
Tel: +1 310 301 5800 | Tel: +1 310 301 5800 | |||
Email: iana@iana.org"; | Email: iana@iana.org"; | |||
description | description | |||
DESCRIPTION | DESCRIPTION | |||
Copyright (c) YEAR IETF Trust and the persons identified as | Copyright (c) YEAR IETF Trust and the persons identified as | |||
authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
The initial version of this YANG module is part of RFC EEEE | The initial version of this YANG module is part of RFC 9644 | |||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | (https://www.rfc-editor.org/info/rfc9644); see the RFC | |||
itself for full legal notices. | itself for full legal notices. | |||
All versions of this module are published by IANA at | All versions of this module are published by IANA at | |||
https://www.iana.org/assignments/yang-parameters."; | https://www.iana.org/assignments/yang-parameters."; | |||
revision DATE { | revision DATE { | |||
description | description | |||
"This initial version of the module was created using | "This initial version of the module was created using | |||
the script defined in RFC EEEE to reflect the contents | the script defined in RFC 9644 to reflect the contents | |||
of the SNAME algorithms registry maintained by IANA."; | of the SNAME algorithms registry maintained by IANA."; | |||
reference | reference | |||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | "RFC 9644: YANG Groupings for SSH Clients and SSH Servers"; | |||
} | } | |||
typedef ssh-HNAME-algorithm { | typedef ssh-HNAME-algorithm { | |||
type enumeration { | type enumeration { | |||
""" | """ | |||
# Replacements | # Replacements | |||
rep = { | rep = { | |||
"DATE": datetime.today().strftime('%Y-%m-%d'), | "DATE": datetime.today().strftime('%Y-%m-%d'), | |||
"YEAR": datetime.today().strftime('%Y'), | "YEAR": datetime.today().strftime('%Y'), | |||
"SNAME": module["spaced_name"], | "SNAME": module["spaced_name"], | |||
skipping to change at line 3662 ¶ | skipping to change at line 3284 ¶ | |||
algorithms.";\n') | algorithms.";\n') | |||
f.write(" }\n") | f.write(" }\n") | |||
f.write('\n') | f.write('\n') | |||
f.write('}\n') | f.write('}\n') | |||
def create_module(module): | def create_module(module): | |||
# Install cache for 8x speedup | # Install cache for 8x speedup | |||
requests_cache.install_cache() | requests_cache.install_cache() | |||
# ascertain yang module's name | # Ascertain YANG module's name | |||
yang_module_name = "iana-ssh-" + module["hypenated_name"] + "-al\ | yang_module_name = "iana-ssh-" + module["hypenated_name"] + "-al\ | |||
gs.yang" | gs.yang" | |||
# create yang module file | # Create YANG module file | |||
with open(yang_module_name, "w") as f: | with open(yang_module_name, "w") as f: | |||
create_module_begin(module, f) | create_module_begin(module, f) | |||
create_module_body(module, f) | create_module_body(module, f) | |||
create_module_end(module, f) | create_module_end(module, f) | |||
def main(): | def main(): | |||
for module in MODULES: | for module in MODULES: | |||
create_module(module) | create_module(module) | |||
if __name__ == "__main__": | if __name__ == "__main__": | |||
main() | main() | |||
]]></sourcecode> | ]]></sourcecode> | |||
<section anchor="ssh-enc-algs-model"> | ||||
<name>Initial Module for the "Encryption Algorithm Names" Registry</name | ||||
> | ||||
<t>Following are the complete contents to the initial IANA-maintained YA | ||||
NG module. | ||||
Please note that the date "2024-03-16" reflects the day on which the | ||||
extraction | ||||
occurred. Applications SHOULD use the IANA-maintained module, not t | ||||
he module | ||||
defined in this draft.</t> | ||||
<t>This YANG module has normative references to [FIPS 46-3], <xref targe | ||||
t="RFC4253"/>, | ||||
<xref target="RFC4344"/>, <xref target="RFC5647"/>, and <xref target | ||||
="RFC8758"/>.</t> | ||||
<t keepWithNext="true"><CODE BEGINS> file "iana-ssh-encryption-alg | ||||
s@2024-03-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module iana-ssh-encryption-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs"; | ||||
prefix sshea; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the encryption algorithms | ||||
defined in the 'Encryption Algorithm Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the encryption algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-encryption-algorithm { | ||||
type enumeration { | ||||
enum 3des-cbc { | ||||
description | ||||
"Enumeration for the '3des-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum blowfish-cbc { | ||||
description | ||||
"Enumeration for the 'blowfish-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish256-cbc { | ||||
description | ||||
"Enumeration for the 'twofish256-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish-cbc { | ||||
description | ||||
"Enumeration for the 'twofish-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish192-cbc { | ||||
description | ||||
"Enumeration for the 'twofish192-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum twofish128-cbc { | ||||
description | ||||
"Enumeration for the 'twofish128-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum aes256-cbc { | ||||
description | ||||
"Enumeration for the 'aes256-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum aes192-cbc { | ||||
description | ||||
"Enumeration for the 'aes192-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum aes128-cbc { | ||||
description | ||||
"Enumeration for the 'aes128-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum serpent256-cbc { | ||||
description | ||||
"Enumeration for the 'serpent256-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum serpent192-cbc { | ||||
description | ||||
"Enumeration for the 'serpent192-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum serpent128-cbc { | ||||
description | ||||
"Enumeration for the 'serpent128-cbc' algorithm. Section | ||||
6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum arcfour { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'arcfour' algorithm."; | ||||
reference | ||||
"RFC 8758: | ||||
Deprecating RC4 in Secure Shell (SSH)"; | ||||
} | ||||
enum idea-cbc { | ||||
description | ||||
"Enumeration for the 'idea-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum cast128-cbc { | ||||
description | ||||
"Enumeration for the 'cast128-cbc' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum none { | ||||
description | ||||
"Enumeration for the 'none' algorithm. Section 6.3"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum des-cbc { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'des-cbc' algorithm."; | ||||
reference | ||||
"FIPS-46-3: | ||||
Data Encryption Standard (DES)"; | ||||
} | ||||
enum arcfour128 { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'arcfour128' algorithm."; | ||||
reference | ||||
"RFC 8758: | ||||
Deprecating RC4 in Secure Shell (SSH)"; | ||||
} | ||||
enum arcfour256 { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'arcfour256' algorithm."; | ||||
reference | ||||
"RFC 8758: | ||||
Deprecating RC4 in Secure Shell (SSH)"; | ||||
} | ||||
enum aes128-ctr { | ||||
description | ||||
"Enumeration for the 'aes128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum aes192-ctr { | ||||
description | ||||
"Enumeration for the 'aes192-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum aes256-ctr { | ||||
description | ||||
"Enumeration for the 'aes256-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum 3des-ctr { | ||||
description | ||||
"Enumeration for the '3des-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum blowfish-ctr { | ||||
description | ||||
"Enumeration for the 'blowfish-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum twofish128-ctr { | ||||
description | ||||
"Enumeration for the 'twofish128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum twofish192-ctr { | ||||
description | ||||
"Enumeration for the 'twofish192-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum twofish256-ctr { | ||||
description | ||||
"Enumeration for the 'twofish256-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum serpent128-ctr { | ||||
description | ||||
"Enumeration for the 'serpent128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum serpent192-ctr { | ||||
description | ||||
"Enumeration for the 'serpent192-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum serpent256-ctr { | ||||
description | ||||
"Enumeration for the 'serpent256-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum idea-ctr { | ||||
description | ||||
"Enumeration for the 'idea-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum cast128-ctr { | ||||
description | ||||
"Enumeration for the 'cast128-ctr' algorithm."; | ||||
reference | ||||
"RFC 4344: | ||||
The Secure Shell (SSH) Transport Layer Encryption | ||||
Modes"; | ||||
} | ||||
enum AEAD_AES_128_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_128_GCM' algorithm. Section | ||||
6.1"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum AEAD_AES_256_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_256_GCM' algorithm. Section | ||||
6.2"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH encryption algorithms."; | ||||
} | ||||
} | ||||
]]></artwork> | ||||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | ||||
<section anchor="ssh-mac-algs-model"> | ||||
<name>Initial Module for the "MAC Algorithm Names" Registry</name> | ||||
<t>Following are the complete contents to the initial IANA-maintained YA | ||||
NG module. | ||||
Please note that the date "2024-03-16" reflects the day on which the | ||||
extraction | ||||
occurred. Applications SHOULD use the IANA-maintained module, not t | ||||
he module | ||||
defined in this draft.</t> | ||||
<t>This YANG module has normative references <xref target="RFC4253"/>, | ||||
<xref target="RFC5647"/>, and <xref target="RFC6668"/>.</t> | ||||
<t keepWithNext="true"><CODE BEGINS> file "iana-ssh-mac-algs@2024- | ||||
03-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module iana-ssh-mac-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs"; | ||||
prefix sshma; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the MAC algorithms | ||||
defined in the 'MAC Algorithm Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the mac algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-mac-algorithm { | ||||
type enumeration { | ||||
enum hmac-sha1 { | ||||
description | ||||
"Enumeration for the 'hmac-sha1' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-sha1-96 { | ||||
description | ||||
"Enumeration for the 'hmac-sha1-96' algorithm. Section | ||||
6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-md5 { | ||||
description | ||||
"Enumeration for the 'hmac-md5' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-md5-96 { | ||||
description | ||||
"Enumeration for the 'hmac-md5-96' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum none { | ||||
description | ||||
"Enumeration for the 'none' algorithm. Section 6.4"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum AEAD_AES_128_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_128_GCM' algorithm. Section | ||||
6.1"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum AEAD_AES_256_GCM { | ||||
description | ||||
"Enumeration for the 'AEAD_AES_256_GCM' algorithm. Section | ||||
6.2"; | ||||
reference | ||||
"RFC 5647: | ||||
AES Galois Counter Mode for the Secure Shell Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum hmac-sha2-256 { | ||||
description | ||||
"Enumeration for the 'hmac-sha2-256' algorithm. Section 2"; | ||||
reference | ||||
"RFC 6668: | ||||
SHA-2 Data Integrity Verification for the Secure Shell | ||||
(SSH) Transport Layer Protocol"; | ||||
} | ||||
enum hmac-sha2-512 { | ||||
description | ||||
"Enumeration for the 'hmac-sha2-512' algorithm. Section 2"; | ||||
reference | ||||
"RFC 6668: | ||||
SHA-2 Data Integrity Verification for the Secure Shell | ||||
(SSH) Transport Layer Protocol"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH mac algorithms."; | ||||
} | ||||
} | ||||
]]></artwork> | ||||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | ||||
<section anchor="ssh-pubkey-algs-model"> | ||||
<name>Initial Module for the "Public Key Algorithm Names" Registry</name | ||||
> | ||||
<t>Following are the complete contents to the initial IANA-maintained YA | ||||
NG module. | ||||
Please note that the date "2024-03-16" reflects the day on which the | ||||
extraction | ||||
occurred. Applications SHOULD use the IANA-maintained module, not t | ||||
he module | ||||
defined in this draft.</t> | ||||
<t>This YANG module has normative references <xref target="RFC4253"/>, | ||||
<xref target="RFC4462"/>, <xref target="RFC5656"/>, <xref target="RF | ||||
C6187"/>, | ||||
<xref target="RFC8332"/>, and <xref target="RFC8709"/>.</t> | ||||
<t keepWithNext="true"><CODE BEGINS> file "iana-ssh-public-key-alg | ||||
s@2024-03-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module iana-ssh-public-key-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs"; | ||||
prefix sshpka; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the public key algorithms | ||||
defined in the 'Public Key Algorithm Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the public key algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-public-key-algorithm { | ||||
type enumeration { | ||||
enum ssh-dss { | ||||
description | ||||
"Enumeration for the 'ssh-dss' algorithm. Section 6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum ssh-rsa { | ||||
description | ||||
"Enumeration for the 'ssh-rsa' algorithm. Section 6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum rsa-sha2-256 { | ||||
description | ||||
"Enumeration for the 'rsa-sha2-256' algorithm. Section 3"; | ||||
reference | ||||
"RFC 8332: | ||||
Use of RSA Keys with SHA-256 and SHA-512 in the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
enum rsa-sha2-512 { | ||||
description | ||||
"Enumeration for the 'rsa-sha2-512' algorithm. Section 3"; | ||||
reference | ||||
"RFC 8332: | ||||
Use of RSA Keys with SHA-256 and SHA-512 in the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
enum spki-sign-rsa { | ||||
description | ||||
"Enumeration for the 'spki-sign-rsa' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum spki-sign-dss { | ||||
description | ||||
"Enumeration for the 'spki-sign-dss' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum pgp-sign-rsa { | ||||
description | ||||
"Enumeration for the 'pgp-sign-rsa' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum pgp-sign-dss { | ||||
description | ||||
"Enumeration for the 'pgp-sign-dss' algorithm. Section | ||||
6.6"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum null { | ||||
description | ||||
"Enumeration for the 'null' algorithm. Section 5"; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol"; | ||||
} | ||||
enum ecdsa-sha2-nistp256 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-nistp256' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-nistp384 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-nistp384' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-nistp521 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-nistp521' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.1' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.33' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.26' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.27' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.16' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.36' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.37' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdsa-sha2-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'ecdsa-sha2-1.3.132.0.38' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum x509v3-ssh-dss { | ||||
description | ||||
"Enumeration for the 'x509v3-ssh-dss' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ssh-rsa { | ||||
description | ||||
"Enumeration for the 'x509v3-ssh-rsa' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-rsa2048-sha256 { | ||||
description | ||||
"Enumeration for the 'x509v3-rsa2048-sha256' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-nistp256 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-nistp384 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-nistp521 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa- | ||||
sha2-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum x509v3-ecdsa-sha2-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'x509v3-ecdsa-sha2-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 6187: | ||||
X.509v3 Certificates for Secure Shell Authentication"; | ||||
} | ||||
enum ssh-ed25519 { | ||||
description | ||||
"Enumeration for the 'ssh-ed25519' algorithm."; | ||||
reference | ||||
"RFC 8709: | ||||
Ed25519 and Ed448 Public Key Algorithms for the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
enum ssh-ed448 { | ||||
description | ||||
"Enumeration for the 'ssh-ed448' algorithm."; | ||||
reference | ||||
"RFC 8709: | ||||
Ed25519 and Ed448 Public Key Algorithms for the Secure | ||||
Shell (SSH) Protocol"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH public key algorithms."; | ||||
} | ||||
} | ||||
]]></artwork> | ||||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | ||||
<section anchor="ssh-keyex-algs-model"> | ||||
<name>Initial Module for the "Key Exchange Method Names" Registry</name> | ||||
<t>Following are the complete contents to the initial IANA-maintained YA | ||||
NG module. | ||||
Please note that the date "2024-03-16" reflects the day on which the | ||||
extraction | ||||
occurred. Applications SHOULD use the IANA-maintained module, not t | ||||
he module | ||||
defined in this draft.</t> | ||||
<t>This YANG module has normative references to <xref target="RFC4419"/> | ||||
, | ||||
<xref target="RFC4432"/>, <xref target="RFC5656"/>, <xref target="RF | ||||
C8268"/>, | ||||
<xref target="RFC8308"/>, <xref target="RFC8731"/>, <xref target="RF | ||||
C8732"/>.</t> | ||||
<t keepWithNext="true"><CODE BEGINS> file "iana-ssh-key-exchange-a | ||||
lgs@2024-03-16.yang"</t> | ||||
<artwork><![CDATA[ | ||||
module iana-ssh-key-exchange-algs { | ||||
yang-version 1.1; | ||||
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs"; | ||||
prefix sshkea; | ||||
organization | ||||
"Internet Assigned Numbers Authority (IANA)"; | ||||
contact | ||||
"Postal: ICANN | ||||
12025 Waterfront Drive, Suite 300 | ||||
Los Angeles, CA 90094-2536 | ||||
United States of America | ||||
Tel: +1 310 301 5800 | ||||
Email: iana@iana.org"; | ||||
description | ||||
"This module defines enumerations for the key exchange algorithms | ||||
defined in the 'Key Exchange Method Names' sub-registry of the | ||||
'Secure Shell (SSH) Protocol Parameters' registry maintained | ||||
by IANA. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | ||||
Redistribution and use in source and binary forms, with | ||||
or without modification, is permitted pursuant to, and | ||||
subject to the license terms contained in, the Revised | ||||
BSD License set forth in Section 4.c of the IETF Trust's | ||||
Legal Provisions Relating to IETF Documents | ||||
(https://trustee.ietf.org/license-info). | ||||
The initial version of this YANG module is part of RFC EEEE | ||||
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC | ||||
itself for full legal notices. | ||||
All versions of this module are published by IANA at | ||||
https://www.iana.org/assignments/yang-parameters."; | ||||
revision 2024-03-16 { | ||||
description | ||||
"This initial version of the module was created using | ||||
the script defined in RFC EEEE to reflect the contents | ||||
of the key exchange algorithms registry maintained by IANA."; | ||||
reference | ||||
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; | ||||
} | ||||
typedef ssh-key-exchange-algorithm { | ||||
type enumeration { | ||||
enum diffie-hellman-group-exchange-sha1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group-exchange-sha1' | ||||
algorithm. Section 4.1"; | ||||
reference | ||||
"RFC 4419: | ||||
Diffie-Hellman Group Exchange for the Secure Shell | ||||
(SSH) Transport Layer Protocol | ||||
RFC 8270: | ||||
Increase the Secure Shell Minimum Recommended Diffie- | ||||
Hellman Modulus Size to 2048 Bits"; | ||||
} | ||||
enum diffie-hellman-group-exchange-sha256 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group-exchange-sha256' | ||||
algorithm. Section 4.2"; | ||||
reference | ||||
"RFC 4419: | ||||
Diffie-Hellman Group Exchange for the Secure Shell | ||||
(SSH) Transport Layer Protocol | ||||
RFC 8270: | ||||
Increase the Secure Shell Minimum Recommended Diffie- | ||||
Hellman Modulus Size to 2048 Bits"; | ||||
} | ||||
enum diffie-hellman-group1-sha1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group1-sha1' | ||||
algorithm. Section 8.1"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum diffie-hellman-group14-sha1 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group14-sha1' | ||||
algorithm. Section 8.2"; | ||||
reference | ||||
"RFC 4253: | ||||
The Secure Shell (SSH) Transport Layer Protocol"; | ||||
} | ||||
enum diffie-hellman-group14-sha256 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group14-sha256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group15-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group15-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group16-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group16-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group17-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group17-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum diffie-hellman-group18-sha512 { | ||||
description | ||||
"Enumeration for the 'diffie-hellman-group18-sha512' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8268: | ||||
More Modular Exponentiation (MODP) Diffie-Hellman (DH) | ||||
Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||
} | ||||
enum ecdh-sha2-nistp256 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-nistp256' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-nistp384 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-nistp384' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-nistp521 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-nistp521' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.1' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.33' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.26' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.27' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.16' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.36' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.37' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecdh-sha2-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'ecdh-sha2-1.3.132.0.38' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum ecmqv-sha2 { | ||||
description | ||||
"Enumeration for the 'ecmqv-sha2' algorithm."; | ||||
reference | ||||
"RFC 5656: | ||||
Elliptic Curve Algorithm Integration in the Secure | ||||
Shell Transport Layer"; | ||||
} | ||||
enum gss-group1-sha1-nistp256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-nistp384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-nistp521 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.2.840.10045.3.1.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.33 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.26 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.27 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.16 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.36 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.37 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group1-sha1-1.3.132.0.38 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group1-sha1-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-nistp256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-nistp384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-nistp521 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.2.840.10045.3.1.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.33 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.26 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.27 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.16 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.36 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.37 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha1-1.3.132.0.38 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-group14-sha1-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-nistp256 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-nistp256' algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-nistp384 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-nistp384' algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-nistp521 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-nistp521' algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.2.840.10045.3.1.1 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.2.840.10045.3.1.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.33 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.26 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.27 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.16 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.36 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.37 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-gex-sha1-1.3.132.0.38 { | ||||
status deprecated; | ||||
description | ||||
"Enumeration for the 'gss-gex-sha1-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol | ||||
RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss- { | ||||
description | ||||
"Enumeration for the 'gss-' algorithm. Section 2.6"; | ||||
reference | ||||
"RFC 4462: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Authentication and Key Exchange for the | ||||
Secure Shell (SSH) Protocol"; | ||||
} | ||||
enum rsa1024-sha1 { | ||||
status obsolete; | ||||
description | ||||
"Enumeration for the 'rsa1024-sha1' algorithm."; | ||||
reference | ||||
"RFC 4432: | ||||
RSA Key Exchange for the Secure Shell (SSH) Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum rsa2048-sha256 { | ||||
description | ||||
"Enumeration for the 'rsa2048-sha256' algorithm."; | ||||
reference | ||||
"RFC 4432: | ||||
RSA Key Exchange for the Secure Shell (SSH) Transport | ||||
Layer Protocol"; | ||||
} | ||||
enum ext-info-s { | ||||
description | ||||
"Enumeration for the 'ext-info-s' algorithm. Section 2"; | ||||
reference | ||||
"RFC 8308: | ||||
Extension Negotiation in the Secure Shell (SSH) | ||||
Protocol"; | ||||
} | ||||
enum ext-info-c { | ||||
description | ||||
"Enumeration for the 'ext-info-c' algorithm. Section 2"; | ||||
reference | ||||
"RFC 8308: | ||||
Extension Negotiation in the Secure Shell (SSH) | ||||
Protocol"; | ||||
} | ||||
enum gss-group14-sha256-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group14-sha256-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group14-sha256-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group14-sha256-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group15-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group15-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group15-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group16-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group16-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group16-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group17-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group17-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group17-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
group18-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-group18-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-group18-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
nistp256-sha256-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp256-sha256-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-nistp256-sha256-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
nistp384-sha384-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp384-sha384-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-nistp384-sha384-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
nistp521-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-nistp521-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-nistp521-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
curve25519-sha256-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve25519-sha256-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-curve25519-sha256-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-nistp256 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-nistp256' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-nistp384 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-nistp384' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-nistp521 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-nistp521' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.1 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.1' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.2.840.10045.3.1.1 { | ||||
description | ||||
"Enumeration for the 'gss- | ||||
curve448-sha512-1.2.840.10045.3.1.1' algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.33 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.33' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.26 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.26' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.27 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.27' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.16 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.16' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.36 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.36' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.37 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.37' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum gss-curve448-sha512-1.3.132.0.38 { | ||||
description | ||||
"Enumeration for the 'gss-curve448-sha512-1.3.132.0.38' | ||||
algorithm."; | ||||
reference | ||||
"RFC 8732: | ||||
Generic Security Service Application Program Interface | ||||
(GSS-API) Key Exchange with SHA-2"; | ||||
} | ||||
enum curve25519-sha256 { | ||||
description | ||||
"Enumeration for the 'curve25519-sha256' algorithm."; | ||||
reference | ||||
"RFC 8731: | ||||
Secure Shell (SSH) Key Exchange Method Using | ||||
Curve25519 and Curve448"; | ||||
} | ||||
enum curve448-sha512 { | ||||
description | ||||
"Enumeration for the 'curve448-sha512' algorithm."; | ||||
reference | ||||
"RFC 8731: | ||||
Secure Shell (SSH) Key Exchange Method Using | ||||
Curve25519 and Curve448"; | ||||
} | ||||
} | ||||
description | ||||
"An enumeration for SSH key exchange algorithms."; | ||||
} | ||||
} | ||||
]]></artwork> | ||||
<t keepWithPrevious="true"><CODE ENDS></t> | ||||
</section> | ||||
</section> | ||||
<section anchor="change-log"> | ||||
<name>Change Log</name> | ||||
<section> | ||||
<name>00 to 01</name> | ||||
<ul spacing="normal"> | ||||
<li>Noted that '0.0.0.0' and '::' might have special meanings.</li> | ||||
<li>Renamed "keychain" to "keystore".</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>01 to 02</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed the groupings 'listening-ssh-client-grouping' and | ||||
'listening-ssh-server-grouping'. Now modules only contain the | ||||
transport-independent groupings.</li> | ||||
<li>Simplified the "client-auth" part in the ietf-ssh-client | ||||
module. It now inlines what it used to point to keystore for.</li> | ||||
<li>Added cipher suites for various algorithms into new | ||||
'ietf-ssh-common' module.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>02 to 03</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed 'RESTRICTED' enum from 'password' leaf type.</li> | ||||
<li>Added a 'must' statement to container 'server-auth' asserting | ||||
that at least one of the various auth mechanisms must be | ||||
specified.</li> | ||||
<li>Fixed description statement for leaf 'trusted-ca-certs'.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>03 to 04</name> | ||||
<ul spacing="normal"> | ||||
<li>Change title to "YANG Groupings for SSH Clients and SSH | ||||
Servers"</li> | ||||
<li>Added reference to RFC 6668</li> | ||||
<li>Added RFC 8174 to Requirements Language Section.</li> | ||||
<li>Enhanced description statement for ietf-ssh-server's | ||||
"trusted-ca-certs" leaf.</li> | ||||
<li>Added mandatory true to ietf-ssh-client's "client-auth" | ||||
'choice' statement.</li> | ||||
<li>Changed the YANG prefix for module ietf-ssh-common from | ||||
'sshcom' to 'sshcmn'.</li> | ||||
<li>Removed the compression algorithms as they are not commonly | ||||
configurable in vendors' implementations.</li> | ||||
<li>Updating descriptions in transport-params-grouping and the | ||||
servers's usage of it.</li> | ||||
<li>Now tree diagrams reference ietf-netmod-yang-tree-diagrams</li> | ||||
<li>Updated YANG to use typedefs around leafrefs to common keystore | ||||
paths</li> | ||||
<li>Now inlines key and certificates (no longer a leafref to | ||||
keystore)</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>04 to 05</name> | ||||
<ul spacing="normal"> | ||||
<li>Merged changes from co-author.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>05 to 06</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated to use trust anchors from trust-anchors draft (was | ||||
keystore draft)</li> | ||||
<li>Now uses new keystore grouping enabling asymmetric key to be | ||||
either locally defined or a reference to the keystore.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>06 to 07</name> | ||||
<ul spacing="normal"> | ||||
<li>factored the ssh-[client|server]-groupings into more reusable | ||||
groupings.</li> | ||||
<li>added if-feature statements for the new "ssh-host-keys" and | ||||
"x509-certificates" features defined in | ||||
draft-ietf-netconf-trust-anchors.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>07 to 08</name> | ||||
<ul spacing="normal"> | ||||
<li>Added a number of compatibility matrices to Section 5 (thanks Fran | ||||
k!)</li> | ||||
<li>Clarified that any configured "host-key-alg" values need to be | ||||
compatible with the configured private key.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>08 to 09</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated examples to reflect update to groupings defined in the key | ||||
store -09 draft.</li> | ||||
<li>Add SSH keepalives features and groupings.</li> | ||||
<li>Prefixed top-level SSH grouping nodes with 'ssh-' and support mash | ||||
ups.</li> | ||||
<li>Updated copyright date, boilerplate template, affiliation, and fol | ||||
ding algorithm.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>09 to 10</name> | ||||
<ul spacing="normal"> | ||||
<li>Reformatted the YANG modules.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>10 to 11</name> | ||||
<ul spacing="normal"> | ||||
<li>Reformatted lines causing folding to occur.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>11 to 12</name> | ||||
<ul spacing="normal"> | ||||
<li>Collapsed all the inner groupings into the top-level grouping.</li | ||||
> | ||||
<li>Added a top-level "demux container" inside the top-level grouping. | ||||
</li> | ||||
<li>Added NACM statements and updated the Security Considerations sect | ||||
ion.</li> | ||||
<li>Added "presence" statements on the "keepalive" containers, as was | ||||
needed to address a validation error that appeared after adding th | ||||
e | ||||
"must" statements into the NETCONF/RESTCONF client/server modules. | ||||
</li> | ||||
<li>Updated the boilerplate text in module-level "description" stateme | ||||
nt | ||||
to match copyeditor convention.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>12 to 13</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed the "demux containers", floating the | ||||
nacm:default-deny-write to each descendant node, and | ||||
adding a note to model designers regarding the potential | ||||
need to add their own demux containers.</li> | ||||
<li>Fixed a couple references (section 2 --> section 3)</li> | ||||
<li>In the server model, replaced <client-cert-auth> | ||||
with <client-authentication> and introduced | ||||
'inline-or-external' choice.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>13 to 14</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated to reflect changes in trust-anchors drafts | ||||
(e.g., s/trust-anchors/truststore/g + s/pinned.//)</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>14 to 15</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated examples to reflect ietf-crypto-types change | ||||
(e.g., identities --> enumerations)</li> | ||||
<li>Updated "server-authentication" and "client-authentication" nodes | ||||
from | ||||
being a leaf of type "ts:host-keys-ref" or "ts:certificates-ref" t | ||||
o a | ||||
container that uses "ts:inline-or-truststore-host-keys-grouping" o | ||||
r | ||||
"ts:inline-or-truststore-certs-grouping".</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>15 to 16</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed unnecessary if-feature statements in the -client and -serv | ||||
er modules.</li> | ||||
<li>Cleaned up some description statements in the -client and -server | ||||
modules.</li> | ||||
<li>Fixed a canonical ordering issue in ietf-ssh-common detected by ne | ||||
w pyang.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>16 to 17</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed choice inline-or-external by removing the 'external' case | ||||
and flattening | ||||
the 'local' case and adding a "local-users-supported" feature.</li | ||||
> | ||||
<li>Updated examples to include the "*-key-format" nodes.</li> | ||||
<li>Augmented-in "must" expressions ensuring that locally-defined publ | ||||
ic-key-format | ||||
are "ct:ssh-public-key-format" (must expr for ref'ed keys are TBD) | ||||
.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>17 to 18</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed leaf-list 'other' from ietf-ssh-server.</li> | ||||
<li>Removed unused 'external-client-auth-supported' feature.</li> | ||||
<li>Added features client-auth-password, client-auth-hostbased, and cl | ||||
ient-auth-none.</li> | ||||
<li>Renamed 'host-key' to 'public-key' for when refering to 'publickey | ||||
' based auth.</li> | ||||
<li>Added new feature-protected 'hostbased' and 'none' to the 'user' n | ||||
ode's config.</li> | ||||
<li>Added new feature-protected 'hostbased' and 'none' to the 'client- | ||||
identity' node's config.</li> | ||||
<li>Updated examples to reflect new "bag" addition to truststore.</li> | ||||
<li>Refined truststore/keystore groupings to ensure the key formats "m | ||||
ust" be particular values.</li> | ||||
<li>Switched to using truststore's new "public-key" bag (instead of se | ||||
parate "ssh-public-key" | ||||
and "raw-public-key" bags.</li> | ||||
<li>Updated client/server examples to cover ALL cases (local/ref x cer | ||||
t/raw-key/psk).</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>18 to 19</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated the "keepalives" containers to address Michal Vasko's requ | ||||
est to | ||||
align with RFC 8071.</li> | ||||
<li>Removed algorithm-mapping tables from the "SSH Common Model" secti | ||||
on</li> | ||||
<li>Removed 'algorithm' node from examples.</li> | ||||
<li>Added feature "userauth-publickey"</li> | ||||
<li>Removed "choice auth-type", as auth-types are not exclusive.</li> | ||||
<li>Renamed both "client-certs" and "server-certs" to "ee-certs"</li> | ||||
<li>Switch "must" to assert the public-key-format is "subject-public-k | ||||
ey-info-format" when certificates are used.</li> | ||||
<li>Added a "Note to Reviewers" note to first page.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>19 to 20</name> | ||||
<ul spacing="normal"> | ||||
<li>Added a "must 'public-key or password or hostbased or none or cert | ||||
ificate'" | ||||
statement to the "user" node in ietf-ssh-client</li> | ||||
<li>Expanded "Data Model Overview section(s) [remove "wall" of tree di | ||||
agrams].</li> | ||||
<li>Moved the "ietf-ssh-common" module section to proceed the other tw | ||||
o module sections.</li> | ||||
<li>Updated the Security Considerations section.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>20 to 21</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated examples to reflect new "cleartext-" prefix in the crypto- | ||||
types draft.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>21 to 22</name> | ||||
<ul spacing="normal"> | ||||
<li>Cleaned up the SSH-client examples (i.e., removing FIXMEs)</li> | ||||
<li>Fixed issues found by the SecDir review of the "keystore" draft.</ | ||||
li> | ||||
<li>Updated the "ietf-ssh-client" module to use the new "password-grou | ||||
ping" | ||||
grouping from the "crypto-types" module.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>22 to 23</name> | ||||
<ul spacing="normal"> | ||||
<li>Addressed comments raised by YANG Doctor in the ct/ts/ks drafts.</ | ||||
li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>23 to 24</name> | ||||
<ul spacing="normal"> | ||||
<li>Removed the 'supported-authentication-methods' from {grouping ssh- | ||||
server-grouping}/client-authentication.</li> | ||||
<li>Added XML-comment above examples explaining the reason for the une | ||||
xepected top-most element's presence.</li> | ||||
<li>Added RFC-references to various 'feature' statements.</li> | ||||
<li>Renamed "credentials" to "authentication methods"</li> | ||||
<li>Renamed "client-auth-*" to "userauth-*"</li> | ||||
<li>Renamed "client-identity-*" to "userauth-*"</li> | ||||
<li>Fixed nits found by YANG Doctor reviews.</li> | ||||
<li>Aligned modules with `pyang -f` formatting.</li> | ||||
<li>Added a 'Contributors' section.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>24 to 25</name> | ||||
<ul spacing="normal"> | ||||
<li>Moved algorithms in ietf-ssh-common (plus more) to IANA-maintained | ||||
modules</li> | ||||
<li>Added "config false" lists for algorithms supported by the server. | ||||
</li> | ||||
<li>Renamed "{ietf-ssh-client}userauth-*" to "client-ident-*"</li> | ||||
<li>Renamed "{ietf-ssh-server}userauth-*" to "local-user-auth-*"</li> | ||||
<li>Fixed issues found during YANG Doctor review.</li> | ||||
<li>Fixed issues found during Secdir review.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>25 to 26</name> | ||||
<ul spacing="normal"> | ||||
<li>Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples.</ | ||||
li> | ||||
<li>Minor editorial nits</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>26 to 27</name> | ||||
<ul spacing="normal"> | ||||
<li>Fixed up the 'WG Web' and 'WG List' lines in YANG module(s)</li> | ||||
<li>Fixed up copyright (i.e., s/Simplified/Revised/) in YANG module(s) | ||||
</li> | ||||
<li>Created identityref-based typedefs for each of the four IANA alg i | ||||
dentity bases.</li> | ||||
<li>Added ietf-ssh-common:generate-asymmetric-key-pair() RPC for discu | ||||
ssion.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>27 to 28</name> | ||||
<ul spacing="normal"> | ||||
<li>Fixed example to not have line-returns around "identity" values.</ | ||||
li> | ||||
<li>Fixed examples to not include "xmlns:algs".</li> | ||||
<li>Added an example for the "generate-asymmetric-key-pair" RPC.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>28 to 29</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated modules to IANA-maintained modules in Appendix A to 2022-0 | ||||
6-16.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>29 to 30</name> | ||||
<ul spacing="normal"> | ||||
<li>Fixed 'must' expressions.</li> | ||||
<li>Added missing 'revision' statement.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>30 to 31</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated per Shepherd reviews impacting the suite of drafts.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>31 to 32</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated per Shepherd reviews impacting the suite of drafts.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>32 to 33</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated per Tom Petch review.</li> | ||||
<li>Updated Intro to clarify what "generic" means.</li> | ||||
<li>Added RPC-reply for 'generate-asymmetric-key-pair' example.</li> | ||||
<li>Added references to RFC 4251 and FIPS 186-6.</li> | ||||
<li>Added "if-feature ct:encrypted-private-keys" for "case cleartext". | ||||
</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>33 to 34</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses AD review comments.</li> | ||||
<li>Added note to Editor to fix line foldings.</li> | ||||
<li>Introduction now more clearly identifies the "ietf-" and "iana-" m | ||||
odules defined.</li> | ||||
<li>Clarified that the modules, when implemented, do not define any pr | ||||
otocol-accessible nodes.</li> | ||||
<li>Clarified that IANA may deprecate and/or obsolete identities over | ||||
time.</li> | ||||
<li>Added Security Consideration for the "generate-asymmetric-key-pair | ||||
" RPC.</li> | ||||
<li>Added Security Considerations text to also look a SC-section from | ||||
imported modules.</li> | ||||
<li>Fixed private-key "must" expressions to not require public-key nod | ||||
es to be present.</li> | ||||
<li>Renamed leaf from "bits" to "num-bits".</li> | ||||
<li>Renamed leaf from "hide" to "hidden".</li> | ||||
<li>Added container "private-key-encoding" to wrap existing choice.</l | ||||
i> | ||||
<li>Removed "public-key-format" and "public-key" nodes from examples.< | ||||
/li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>34 to 35</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses AD review by Rob Wilton.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>35 to 36</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses 1st-round of IESG reviews.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>36 to 38</name> | ||||
<ul spacing="normal"> | ||||
<li>Addresses issues found in OpsDir review of the ssh-client-server d | ||||
raft.</li> | ||||
<li>Replaced identities with enums in the IANA modules.</li> | ||||
<li>Updated per Elwyn Davies' Gen-ART review.</li> | ||||
<li>Updated Introduction to read more like the Abstract</li> | ||||
<li>Add refs to where the 'operational' and 'system' datastores are de | ||||
fined.</li> | ||||
<li>Updated Editor-notes to NOT remove the script (just remove the ini | ||||
tial IANA modules)</li> | ||||
<li>Renamed Security Considerations section s/Template for/Considerati | ||||
ons for/</li> | ||||
<li>s/defines/presents/ in a few places.</li> | ||||
<li>Renamed script from 'gen-identities.py' to 'gen-yang-modules.py'</ | ||||
li> | ||||
<li>Removed the removeInRFC="true" attribute in Appendix sections</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>38 to 39</name> | ||||
<ul spacing="normal"> | ||||
<li>Address IESG review comments.</li> | ||||
</ul> | ||||
</section> | ||||
<section> | ||||
<name>39 to 40</name> | ||||
<ul spacing="normal"> | ||||
<li>Updated to reflect comments from Paul Wouters.</li> | ||||
<li>Fixed the "generate-asymmetric-key-pair" RPC to return the | ||||
location to where hidden keys are created.</li> | ||||
</ul> | ||||
</section> | ||||
</section> | </section> | |||
<section numbered="false"> | <section numbered="false"> | |||
<name>Acknowledgements</name> | <name>Acknowledgements</name> | |||
<t>The authors would like to thank the following for lively discussions | <t>The authors would like to thank the following for lively discussions | |||
on list and in the halls (ordered by first name): | on list and in the halls (ordered by first name): | |||
Alan Luchuk, | <contact fullname="Alan Luchuk"/>, | |||
Andy Bierman, | <contact fullname="Andy Bierman"/>, | |||
Balázs Kovács, | <contact fullname="Balázs Kovács"/>, | |||
Barry Leiba, | <contact fullname="Barry Leiba"/>, | |||
Benoit Claise, | <contact fullname="Benoit Claise"/>, | |||
Bert Wijnen, | <contact fullname="Bert Wijnen"/>, | |||
David Lamparter, | <contact fullname="David Lamparter"/>, | |||
Elwyn Davies, | <contact fullname="Elwyn Davies"/>, | |||
Gary Wu, | <contact fullname="Gary Wu"/>, | |||
Jürgen Schönwälder, | <contact fullname="Jürgen Schönwälder"/>, | |||
Ladislav Lhotka, | <contact fullname="Ladislav Lhotka"/>, | |||
Liang Xia, | <contact fullname="Liang Xia"/>, | |||
Martin Björklund, | <contact fullname="Martin Björklund"/>, | |||
Martin Thomson, | <contact fullname="Martin Thomson"/>, | |||
Mehmet Ersue, | <contact fullname="Mehmet Ersue"/>, | |||
Michal Vaško, | <contact fullname="Michal Vaško"/>, | |||
Murray Kucherawy, | <contact fullname="Murray Kucherawy"/>, | |||
Paul Wouters, | <contact fullname="Paul Wouters"/>, | |||
Per Andersson, | <contact fullname="Per Andersson"/>, | |||
Phil Shafer, | <contact fullname="Phil Shafer"/>, | |||
Qin Wun, | <contact fullname="Qin Wun"/>, | |||
Radek Krejci, | <contact fullname="Radek Krejci"/>, | |||
Rob Wilton, | <contact fullname="Rob Wilton"/>, | |||
Roman Danyliw, | <contact fullname="Roman Danyliw"/>, | |||
Russ Housley, | <contact fullname="Russ Housley"/>, | |||
Sean Turner, | <contact fullname="Sean Turner"/>, | |||
Tom Petch, | <contact fullname="Thomas Martin"/>, | |||
Thomas Martin, | <contact fullname="Tom Petch"/>, | |||
and Warren Kumari.</t> | and <contact fullname="Warren Kumari"/>.</t> | |||
</section> | </section> | |||
<section numbered="false"> | <section numbered="false"> | |||
<name>Contributors</name> | <name>Contributors</name> | |||
<t>Special acknowledgement goes to Gary Wu for his work on the | <t>Special acknowledgement goes to <contact fullname="Gary Wu"/> for his w ork on the | |||
"ietf-ssh-common" module.</t> | "ietf-ssh-common" module.</t> | |||
</section> | </section> | |||
</back> | </back> | |||
</rfc> | </rfc> | |||
End of changes. 340 change blocks. | ||||
4973 lines changed or deleted | 948 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |