kernelkit
Add support for ietf-ssh-server YANG
The draft IETF model for SSH provides a grouping that can be included in the infix services model.
Scope:
- [ ] Enable disable service
- [ ] Change listening port
- [ ] Bind to a single interface
- [ ] Host key similar to NETCONF
"genkey"setup
Future:
- [ ] Add support for certificates
Note: netopeer2-server use libssh for access on port 830. This should probably be handled by the NETCONF model and not the SSH server model.
The netconf model just includes parts of the ssh model for SSH transport. @troglobit
Looks like it might be better to just extend infix-services.yang.
Update Oct 1: extend infix-services.yang with a uses ... from ietf-ssh-server.yang, with some heavy redactions (deviations).
Proposed model (infix-services):
module infix-services {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:infix-services";
prefix infix-svc;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
import ietf-ssh-server {
prefix ssh-srv;
}
import ietf-ssh-common {
prefix ssh-common;
}
import ietf-tcp-server {
prefix tcp-srv;
}
import ietf-keystore {
prefix ks;
}
organization "KernelKit";
contact "[email protected]";
description "Infix services, generic.";
revision 2024-06-08 {
description "Add support for RESTCONF enable/disable as a web service.";
reference "internal";
}
revision 2024-05-30 {
description "Add support for RESTCONF enable/disable as a web service.";
reference "internal";
}
revision 2024-04-08 {
description "Initial support for web services.";
reference "internal";
}
revision 2023-10-16 {
description "Drop SSDP support, mDNS-SD is now available in Windows 10.";
reference "internal";
}
revision 2023-08-22 {
description "Initial revision, add SSDP and mDNS-SD enable/disable only.";
reference "internal";
}
....
container ssh {
leaf enabled {
default true;
description "Disable or enable SSH daemon";
type boolean;
}
choice host-key-type {
description
"The type of host key being specified";
container public-key {
description
"A locally-defined or referenced asymmetric key pair
to be used for the SSH server's host key.";
reference
"RFC 9642: A YANG Data Model for a Keystore";
uses ks:inline-or-keystore-asymmetric-key-grouping {
refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format, "ct:ssh-public-key-format")';
}
refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference" {
must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-'
+ 'key-format, "ct:ssh-public-key-format")';
}
}
}
}
list listen {
key "address port";
leaf address {
type inet:ip-address;
description
"The local IP address to listen on for incoming
SSH client connections. INADDR_ANY (0.0.0.0) or
INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be
used when the server is to listen on all IPv4 or
IPv6 addresses, respectively.";
}
leaf port {
type inet:port-number;
default "22";
description "Local port for SSH daemon to listen to.
The standard port for SSH is 22";
}
}
}
......
}
Very nice! A few comments:
- Please move the description first in the leaf definitions, I've tried to be consistent with that in other models
- Could you post the
-f treeview as well?
module: infix-services +--rw mdns | +--rw enabled? boolean +--rw ssh | +--rw enabled? boolean | +--rw hostkey* ks:asymmetric-key-ref | +--rw listen* [name] | +--rw name string | +--rw address? inet:ip-address | +--rw port? inet:port-number +--rw web +--rw enabled? boolean +--rw console | +--rw enabled? boolean +--rw netbrowse | +--rw enabled? boolean +--rw restconf +--rw enabled? boolean