updated 'keyboard-interactive' model definition

netconf-wg · Apr 23, 2021 · c434d24 · c434d24
1 parent 1e59887
commit c434d24
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 112 deletions.
diff --git a/ietf-ssh-server.yang b/ietf-ssh-server.yang
@@ -265,105 +265,31 @@ module ietf-ssh-server {
     container client-authentication {
       nacm:default-deny-write;
       description
-        "Specifies how the SSH server can authenticate SSH clients.";
-      container supported-authentication-methods {
-        description
-          "Indicates which authentication methods the server
-           supports.";
-        leaf publickey {
-          if-feature client-auth-publickey;
-          type empty;
-          description
-            "Indicates that the 'publickey' method is supported.
-             Note that RFC 6187 X.509v3 Certificates for SSH uses
-             the 'publickey' method name.";
-          reference
-            "RFC 4252: The Secure Shell (SSH) Authentication
-                       Protocol.
-             RFC 6187: X.509v3 Certificates for Secure Shell
-                       Authentication.";
-        }
-        leaf password {
-          if-feature client-auth-password;
-          type empty;
-          description
-            "Indicates that the 'password' method is supported.";
-          reference
-            "RFC 4252: The Secure Shell (SSH) Authentication
-                       Protocol.";
-        }
-        leaf hostbased {
-          if-feature client-auth-hostbased;
-          type empty;
-          description
-            "Indicates that the 'hostbased' method is supported.";
-          reference
-            "RFC 4252: The Secure Shell (SSH) Authentication
-                       Protocol.";
-        }
-        leaf none {
-          if-feature client-auth-none;
-          type empty;
-          description
-            "Indicates that the 'none' method is supported.";
-          reference
-            "RFC 4252: The Secure Shell (SSH) Authentication
-                       Protocol.";
-        }
-        container keyboard-interactive {
-          if-feature client-auth-keyboard-interactive;
-          presence
-            "Indicates that the 'keyboard-interactive' method is
-             supported.";
-          description
-            "Additional configuration may be augmented-in by
-             consuming modules as needed.";
-          reference
-            "RFC 4256: Generic Message Exchange Authentication
-                       for the Secure Shell Protocol (SSH)";
-        }
-        container gssapi-with-mic {
-          if-feature client-auth-gssapi-with-mic;
-          presence
-            "Indicates that the 'gssapi-with-mic' method is
-             supported.";
-          description
-            "Additional configuration may be augmented-in by
-             consuming modules as needed.";
-          reference
-            "RFC 4462:
-              Generic Security Service Application Program
-              Interface (GSS-API) Authentication and Key
-              Exchange for the Secure Shell (SSH) Protocol";
-        }
-        container gssapi-keyex {
-          if-feature client-auth-gssapi-keyex;
-          presence
-            "Indicates that the 'gssapi-keyex' method is
-             supported.";
-          description
-            "Additional configuration may be augmented-in by
-             consuming modules as needed.";
-          reference
-            "RFC 4462:
-              Generic Security Service Application Program
-              Interface (GSS-API) Authentication and Key
-              Exchange for the Secure Shell (SSH) Protocol";
-        }
-      }
+        "Specifies how the SSH server can authenticate SSH clients.
 
+         The 'client-auth-config-supported' feature enables the
+         'users' subtree, which is a lightweight user database.
+         If the feature is not enabled, consuming module SHOULD
+         augment-in nodes needed for lookups into an external
+         user database.";
       container users {
         if-feature "client-auth-config-supported";
         description
-          "A list of locally configured users.";
+          "A list of locally configured users (i.e., SSH clients).";
         list user {
           key name;
           description
-            "The list of local users configured on this device.";
+            "A locally configured user (i.e., SSH client).
+
+             The server SHOULD derive the list of authentication
+             'method names' returned to the SSH client, per Sections
+             5.1 and 5.2 in RFC 4252, from the descendent nodes
+             configured herein.";
           leaf name {
             type string;
             description
-             "The user name string identifying this entry.";
+             "The 'user name' for the SSH client, as defined in the
+              SSH_MSG_USERAUTH_REQUEST message in RFC 4253.";
           }
           container public-keys {
             if-feature client-auth-publickey;
@@ -436,24 +362,73 @@ module ietf-ssh-server {
               "RFC 4252: The Secure Shell (SSH) Authentication
                          Protocol.";
           }
-          list keyboard-interactive {
+          container keyboard-interactive {
             if-feature "client-auth-keyboard-interactive";
-            key submethod;
+            presence
+              "Indicates 'keyboard-interactive' has been configured.
+               Present so that 'mandatory' decendant nodes do not
+               imply that this node must be configured.";
             description
-              "Indicates that the server can authenticate this
-               user using the configured submethod.  Consuming
-               modules may augment-in submethod-specific 
-               configuration as needed.";
-            leaf submethod {
-              type string;
-              description
-                "The name of the 'submethod'.  Valid values are
-                 something the client and the server need to
-                 agree on.";
-            }
+               "The 'keyboard-interactive' method is defined in
+                RFC 4256 to present a set of challenge-expected
+                response pairs to authenticate users.";
             reference
               "RFC 4256: Generic Message Exchange Authentication
                          for the Secure Shell Protocol (SSH)";
+            leaf default-submethod {
+              type leafref {
+                path "../submethod/name";
+              }
+              mandatory true;
+              description
+                "If the user does not request any specific
+                 submethod, this one will be used.";
+            }
+            list submethod {
+              key "name";
+              min-elements 1;
+              description
+                "All the submethods supported for the user.";
+              leaf name {
+                type string;
+                description
+                  "The submethod's name.  Valid values need
+                   to be externally agreed on by clients and
+                   servers, per RFC 4256.";
+              }
+              leaf instruction {
+                type string;
+                description
+                  "The instruction presented to the user for this
+                   submethod.";
+              }
+              list prompt {
+                key "challenge";
+                min-elements 1;
+                description
+                  "List of prompts presented to the user that
+                   must be passed for successful authentication
+                   of this submethod.";
+                leaf challenge {
+                  type string;
+                  description
+                    "The challenge (prompt) presented to the user.";
+                }
+                leaf response {
+                  type string;
+                  mandatory true;
+                  description
+                    "The expected response to the challenge.";
+                }
+                leaf echo {
+                  type boolean;
+                  default true;
+                  description
+                    "Whether to enable or disable shell echo in case
+                     some sensitive information is requested.";
+                }
+              }
+            }
           }
           list gssapi-with-mic {
             if-feature "client-auth-gssapi-with-mic";

diff --git a/refs/ex-ssh-server-keystore.xml b/refs/ex-ssh-server-keystore.xml
@@ -25,9 +25,6 @@
 
   <!-- the client credentials this SSH server will trust -->
   <client-authentication>
-    <supported-authentication-methods>
-      <publickey/>
-    </supported-authentication-methods>
     <users>
       <user>
         <name>mary</name>

diff --git a/refs/ex-ssh-server-local.xml b/refs/ex-ssh-server-local.xml
@@ -34,29 +34,22 @@
 
   <!-- the client credentials this SSH server will trust -->
   <client-authentication>
-    <supported-authentication-methods>
-      <publickey/>
-    </supported-authentication-methods>
     <users>
       <user>
         <name>mary</name>
         <password>$0$secret</password>
         <public-keys>
           <local-definition>
-            <!--<ssh-public-key>-->
             <public-key>
               <name>User A</name>
               <public-key-format>ct:ssh-public-key-format</public-key-format>
               <public-key>base64encodedvalue==</public-key>
-              <!--</ssh-public-key>
-            <ssh-public-key>-->
             </public-key>
             <public-key>
               <name>User B</name>
               <public-key-format>ct:ssh-public-key-format</public-key-format>
               <public-key>base64encodedvalue==</public-key>
             </public-key>
-            <!--</ssh-public-key>-->
           </local-definition>
         </public-keys>
       </user>