Added ssh configurations to YANG model (#13338)

- Why I did it Implemented ssh configurations - How I did it Added ssh config table in configDB, once changed - hostcfgd will change the relevant OS files (sshd_config) - How to verify it Tests in sonic-host-services. Change relevant configs in configDB such as ports, and see sshd port was modified
sonic-net · Jul 10, 2023 · 7639df0 · 7639df0
1 parent 4303308
commit 7639df0
Show file tree

Hide file tree

Showing 6 changed files with 161 additions and 0 deletions.
diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md
@@ -79,6 +79,7 @@ Table of Contents
  * [LOGGER](#logger)
  * [WRED_PROFILE](#wred_profile)
  * [PASSWORD_HARDENING](#password_hardening)
+ * [SSH_SERVER](#ssh_server) 
  * [SYSTEM_DEFAULTS table](#systemdefaults-table)
  * [RADIUS](#radius)
  * [Static DNS](#static-dns)
@@ -2321,6 +2322,25 @@ There are 4 classes
 }
 ```
 
+### SSH_SERVER
+
+In this table, we allow configuring ssh server global settings. This will feature includes 3 configurations:
+
+- authentication_retries - number of login attepmts 1-100
+- login_timeout - Timeout in seconds for login session for user to connect 1-600
+- ports - Ssh port numbers - string of port numbers seperated by ','
+```
+{
+ "SSH_SERVER": {
+ "POLICIES":{
+ "authentication_retries": "6",
+ "login_timeout": "120",
+ "ports": "22"
+ }
+ }
+}
+```
+
 ### BREAKOUT_CFG
 
 This table is introduced as part of Dynamic Port Breakout(DPB) feature.

diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py
@@ -140,6 +140,7 @@ def run(self):
  './yang-models/sonic-nat.yang',
  './yang-models/sonic-nvgre-tunnel.yang',
  './yang-models/sonic-passwh.yang',
+ './yang-models/sonic-ssh-server.yang',
  './yang-models/sonic-pbh.yang',
  './yang-models/sonic-port.yang',
  './yang-models/sonic-policer.yang',

diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json
@@ -2225,6 +2225,14 @@
  }
  },
 
+ "SSH_SERVER": {
+ "POLICIES":{
+ "authentication_retries": "6",
+ "login_timeout": "120",
+ "ports": "22"
+ }
+ },
+
  "MACSEC_PROFILE": {
  "test": {
  "priority": "64",

diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json
@@ -0,0 +1,26 @@
+{
+ "SSH_SERVER_VALID": {
+ "desc": "Configure default SSH_SERVER."
+ },
+ "SSH_SERVER_VALID_MODIFIED": {
+ "desc": "Configure modified SSH_SERVER."
+ },
+ "SSH_SERVER_INVALID_AUTH_RETRIES": {
+ "desc": "Configure invalid number of authentication retries in SSH_SERVER.",
+ "eStrKey" : "Pattern",
+ "eStr": ["1..100"]
+ },
+ "SSH_SERVER_INVALID_LOGIN_TIMEOUT": {
+ "desc": "Configure invalid login timeout value in SSH_SERVER.",
+ "eStrKey" : "Pattern",
+ "eStr": ["1..600"]
+ },
+ "SSH_SERVER_INVALID_PORTS_1": {
+ "desc": "Configure invalid port value in SSH_SERVER.",
+ "eStr": "Invalid port numbers value"
+ },
+ "SSH_SERVER_INVALID_PORTS_2": {
+ "desc": "Configure invalid port value in SSH_SERVER.",
+ "eStr": "Invalid port numbers value"
+ }
+}
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json
@@ -0,0 +1,60 @@
+{
+ "SSH_SERVER_VALID": {
+ "sonic-ssh-server:sonic-ssh-server": {
+ "sonic-ssh-server:SSH_SERVER": {
+ "POLICIES":{
+ "authentication_retries": "6",
+ "login_timeout": "120",
+ "ports": "22"
+ }
+ }
+ }
+ },
+ "SSH_SERVER_VALID_MODIFIED": {
+ "sonic-ssh-server:sonic-ssh-server": {
+ "sonic-ssh-server:SSH_SERVER": {
+ "POLICIES":{
+ "authentication_retries": "16",
+ "login_timeout": "140",
+ "ports": "22,222"
+ }
+ }
+ }
+ },
+ "SSH_SERVER_INVALID_AUTH_RETRIES": {
+ "sonic-ssh-server:sonic-ssh-server": {
+ "sonic-ssh-server:SSH_SERVER": {
+ "POLICIES":{
+ "authentication_retries": "200"
+ }
+ }
+ }
+ },
+ "SSH_SERVER_INVALID_LOGIN_TIMEOUT": {
+ "sonic-ssh-server:sonic-ssh-server": {
+ "sonic-ssh-server:SSH_SERVER": {
+ "POLICIES":{
+ "login_timeout": "606"
+ }
+ }
+ }
+ },
+ "SSH_SERVER_INVALID_PORTS_1": {
+ "sonic-ssh-server:sonic-ssh-server": {
+ "sonic-ssh-server:SSH_SERVER": {
+ "POLICIES":{
+ "ports": "port22"
+ }
+ }
+ }
+ },
+ "SSH_SERVER_INVALID_PORTS_2": {
+ "sonic-ssh-server:sonic-ssh-server": {
+ "sonic-ssh-server:SSH_SERVER": {
+ "POLICIES":{
+ "ports": "22.222"
+ }
+ }
+ }
+ }
+}
diff --git a/src/sonic-yang-models/yang-models/sonic-ssh-server.yang b/src/sonic-yang-models/yang-models/sonic-ssh-server.yang
@@ -0,0 +1,46 @@
+
+//filename: sonic-ssh-server.yang
+module sonic-ssh-server {
+ yang-version 1.1;
+ namespace "http://github.com/sonic-net/sonic-ssh-server";
+ prefix sshg;
+
+ description "SSH SERVER CONFIG YANG Module for SONiC OS";
+
+ revision 2022-08-29 {
+ description
+ "First Revision";
+ }
+
+ container sonic-ssh-server {
+ container SSH_SERVER {
+ description "SSH SERVER CONFIG part of config_db.json";
+ container POLICIES {
+ leaf authentication_retries {
+ description "number of login attepmts";
+ default 6;
+ type uint32 {
+ range 1..100;
+ }
+ }
+ leaf login_timeout {
+ description "login timeout (secs unit)";
+ default 120;
+ type uint32 {
+ range 1..600;
+ }
+ }
+ leaf ports {
+ description "ssh port numbers";
+ default "22";
+ type string {
+ pattern '([1-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-6])(,([1-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-6]))*' {
+ error-message "Invalid port numbers value";
+ error-app-tag ssh-server-ports-invalid-value;
+ }
+ }
+ }
+ }/*container policies */
+ } /* container SSH_SERVER */
+ }/* container sonic-ssh-server */
+}/* end of module sonic-ssh-server */