make permit_root_login an enumeration

bhouse-nexthop · bhouse-nexthop · commit 4165c41073e0 · 2025-06-17T10:45:11.000-04:00
diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md
@@ -2952,7 +2952,11 @@ In this table, we allow configuring ssh server global settings. This will featur
 -   ports - Ssh port numbers - string of port numbers seperated by ','
 -   inactivity_timeout - Inactivity timeout for SSH session, allowed values: 0-35000 (min), default value: 15 (min)
 -   max_sessions - Max number of concurrent logins, allowed values: 0-100 (where 0 means no limit), default value: 0
--   permit_root_login - Whether or not to allow root login.  Boolean.
+-   permit_root_login - Whether or not to allow root login. Default value: "prohibit-password"
+    - "yes"
+    - "prohibit-password"
+    - "forced-commands-only"
+    - "no"
 -   password_authentication - Whether or not to allow password authentication. Boolean.
 -   ciphers - Ciphers to allow.  See `ssh -Q ciphers`
 -   kex_algorithms - Key Exchange algorithms to allow.  See `ssh -Q kex_algorithms`
diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json
@@ -2588,7 +2588,7 @@
                 "ports": "22",
                 "inactivity_timeout": "15",
                 "max_sessions": "0",
-                "permit_root_login": "false",
+                "permit_root_login": "no",
                 "password_authentication": "true",
                 "ciphers": [ "chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com" ],
                 "kex_algorithms": [ "sntrup761x25519-sha512", "curve25519-sha256", "ecdh-sha2-nistp521" ],
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json
@@ -5,6 +5,18 @@
     "SSH_SERVER_VALID_MODIFIED": {
         "desc": "Configure modified SSH_SERVER."
     },
+    "SSH_SERVER_PERMIT_ROOT_YES": {
+        "desc": "permit_root_login: yes"
+    },
+    "SSH_SERVER_PERMIT_ROOT_NO": {
+        "desc": "permit_root_login: no"
+    },
+    "SSH_SERVER_PERMIT_ROOT_PROHIBIT_PASSWORD": {
+        "desc": "permit_root_login: prohibit-password"
+    },
+    "SSH_SERVER_PERMIT_ROOT_FORCED_COMMANDS_ONLY": {
+        "desc": "permit_root_login: forced-commands-only"
+    },
     "SSH_SERVER_INVALID_AUTH_RETRIES": {
         "desc": "Configure invalid number of authentication retries in SSH_SERVER.",
         "eStrKey" : "Pattern",
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json
@@ -8,7 +8,7 @@
                     "ports": "22",
                     "inactivity_timeout": "15",
                     "max_sessions": "0",
-                    "permit_root_login": "false",
+                    "permit_root_login": "no",
                     "password_authentication": "true",
                     "ciphers": [ "chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com" ],
                     "kex_algorithms": [ "sntrup761x25519-sha512", "curve25519-sha256", "ecdh-sha2-nistp521" ],
@@ -28,6 +28,42 @@
             }
         }
     },
+    "SSH_SERVER_PERMIT_ROOT_YES": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "permit_root_login": "yes"
+                }
+            }
+        }
+    },
+    "SSH_SERVER_PERMIT_ROOT_NO": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "permit_root_login": "no"
+                }
+            }
+        }
+    },
+    "SSH_SERVER_PERMIT_ROOT_PROHIBIT_PASSWORD": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "permit_root_login": "prohibit-password"
+                }
+            }
+        }
+    },
+    "SSH_SERVER_PERMIT_ROOT_FORCED_COMMANDS_ONLY": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "permit_root_login": "forced-commands-only"
+                }
+            }
+        }
+    },
     "SSH_SERVER_INVALID_AUTH_RETRIES": {
         "sonic-ssh-server:sonic-ssh-server": {
             "sonic-ssh-server:SSH_SERVER": {
diff --git a/src/sonic-yang-models/yang-models/sonic-ssh-server.yang b/src/sonic-yang-models/yang-models/sonic-ssh-server.yang
@@ -61,7 +61,12 @@ module sonic-ssh-server {
                 }
                 leaf permit_root_login {
                     description "Specifies whether root can log in using ssh.";
-                    type boolean;
+                    type enumeration {
+                        enum "yes";
+                        enum "prohibit-password";
+                        enum "forced-commands-only";
+                        enum "no";
+                    }
                 }
                 leaf password_authentication {
                     description "Specifies whether password authentication is enabled.";

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,12 @@ module sonic-ssh-server {`
`61`	`61`	`}`
`62`	`62`	`leaf permit_root_login {`
`63`	`63`	`description "Specifies whether root can log in using ssh.";`
`64`		`- type boolean;`
	`64`	`+ type enumeration {`
	`65`	`+ enum "yes";`
	`66`	`+ enum "prohibit-password";`
	`67`	`+ enum "forced-commands-only";`
	`68`	`+ enum "no";`
	`69`	`+ }`
`65`	`70`	`}`
`66`	`71`	`leaf password_authentication {`
`67`	`72`	`description "Specifies whether password authentication is enabled.";`