From 1d5ad7de6cb7e5e19042433e230d2d37445ea573 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Mon, 10 Jul 2023 21:27:41 +0300 Subject: [PATCH] Added ssh configurations to YANG model (#13338) - Why I did it Implemented ssh configurations - How I did it Added ssh config table in configDB, once changed - hostcfgd will change the relevant OS files (sshd_config) - How to verify it Tests in sonic-host-services. Change relevant configs in configDB such as ports, and see sshd port was modified --- src/sonic-yang-models/doc/Configuration.md | 20 +++++++ src/sonic-yang-models/setup.py | 1 + .../tests/files/sample_config_db.json | 8 +++ .../yang_model_tests/tests/ssh-server.json | 26 ++++++++ .../tests_config/ssh-server.json | 60 +++++++++++++++++++ .../yang-models/sonic-ssh-server.yang | 46 ++++++++++++++ 6 files changed, 161 insertions(+) create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json create mode 100644 src/sonic-yang-models/yang-models/sonic-ssh-server.yang diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md index ab633a715850..fdb92ddce805 100644 --- a/src/sonic-yang-models/doc/Configuration.md +++ b/src/sonic-yang-models/doc/Configuration.md @@ -79,6 +79,7 @@ Table of Contents * [LOGGER](#logger) * [WRED_PROFILE](#wred_profile) * [PASSWORD_HARDENING](#password_hardening) + * [SSH_SERVER](#ssh_server) * [SYSTEM_DEFAULTS table](#systemdefaults-table) * [RADIUS](#radius) * [Static DNS](#static-dns) @@ -2321,6 +2322,25 @@ There are 4 classes } ``` +### SSH_SERVER + +In this table, we allow configuring ssh server global settings. This will feature includes 3 configurations: + +- authentication_retries - number of login attepmts 1-100 +- login_timeout - Timeout in seconds for login session for user to connect 1-600 +- ports - Ssh port numbers - string of port numbers seperated by ',' +``` +{ + "SSH_SERVER": { + "POLICIES":{ + "authentication_retries": "6", + "login_timeout": "120", + "ports": "22" + } + } +} +``` + ### BREAKOUT_CFG This table is introduced as part of Dynamic Port Breakout(DPB) feature. diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index b4bdc2da47f0..f3de50de857a 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -140,6 +140,7 @@ def run(self): './yang-models/sonic-nat.yang', './yang-models/sonic-nvgre-tunnel.yang', './yang-models/sonic-passwh.yang', + './yang-models/sonic-ssh-server.yang', './yang-models/sonic-pbh.yang', './yang-models/sonic-port.yang', './yang-models/sonic-policer.yang', diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 2de693e58579..1ee67afff860 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -2225,6 +2225,14 @@ } }, + "SSH_SERVER": { + "POLICIES":{ + "authentication_retries": "6", + "login_timeout": "120", + "ports": "22" + } + }, + "MACSEC_PROFILE": { "test": { "priority": "64", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json new file mode 100644 index 000000000000..f3a1c30ef47a --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json @@ -0,0 +1,26 @@ +{ + "SSH_SERVER_VALID": { + "desc": "Configure default SSH_SERVER." + }, + "SSH_SERVER_VALID_MODIFIED": { + "desc": "Configure modified SSH_SERVER." + }, + "SSH_SERVER_INVALID_AUTH_RETRIES": { + "desc": "Configure invalid number of authentication retries in SSH_SERVER.", + "eStrKey" : "Pattern", + "eStr": ["1..100"] + }, + "SSH_SERVER_INVALID_LOGIN_TIMEOUT": { + "desc": "Configure invalid login timeout value in SSH_SERVER.", + "eStrKey" : "Pattern", + "eStr": ["1..600"] + }, + "SSH_SERVER_INVALID_PORTS_1": { + "desc": "Configure invalid port value in SSH_SERVER.", + "eStr": "Invalid port numbers value" + }, + "SSH_SERVER_INVALID_PORTS_2": { + "desc": "Configure invalid port value in SSH_SERVER.", + "eStr": "Invalid port numbers value" + } +} \ No newline at end of file diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json new file mode 100644 index 000000000000..e0abc1a1320a --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json @@ -0,0 +1,60 @@ +{ + "SSH_SERVER_VALID": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "authentication_retries": "6", + "login_timeout": "120", + "ports": "22" + } + } + } + }, + "SSH_SERVER_VALID_MODIFIED": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "authentication_retries": "16", + "login_timeout": "140", + "ports": "22,222" + } + } + } + }, + "SSH_SERVER_INVALID_AUTH_RETRIES": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "authentication_retries": "200" + } + } + } + }, + "SSH_SERVER_INVALID_LOGIN_TIMEOUT": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "login_timeout": "606" + } + } + } + }, + "SSH_SERVER_INVALID_PORTS_1": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "ports": "port22" + } + } + } + }, + "SSH_SERVER_INVALID_PORTS_2": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "ports": "22.222" + } + } + } + } +} \ No newline at end of file diff --git a/src/sonic-yang-models/yang-models/sonic-ssh-server.yang b/src/sonic-yang-models/yang-models/sonic-ssh-server.yang new file mode 100644 index 000000000000..a53fddac5bfc --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-ssh-server.yang @@ -0,0 +1,46 @@ + +//filename: sonic-ssh-server.yang +module sonic-ssh-server { + yang-version 1.1; + namespace "http://github.com/sonic-net/sonic-ssh-server"; + prefix sshg; + + description "SSH SERVER CONFIG YANG Module for SONiC OS"; + + revision 2022-08-29 { + description + "First Revision"; + } + + container sonic-ssh-server { + container SSH_SERVER { + description "SSH SERVER CONFIG part of config_db.json"; + container POLICIES { + leaf authentication_retries { + description "number of login attepmts"; + default 6; + type uint32 { + range 1..100; + } + } + leaf login_timeout { + description "login timeout (secs unit)"; + default 120; + type uint32 { + range 1..600; + } + } + leaf ports { + description "ssh port numbers"; + default "22"; + type string { + pattern '([1-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-6])(,([1-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-6]))*' { + error-message "Invalid port numbers value"; + error-app-tag ssh-server-ports-invalid-value; + } + } + } + }/*container policies */ + } /* container SSH_SERVER */ + }/* container sonic-ssh-server */ +}/* end of module sonic-ssh-server */