Adding list leaf for SSH public keys

[syaghi-c]

Change Scope

• Adding a leaf list for user ssh keys to add the ability to add more than one SSH key per user.
• This change is backwards compatible. We are proposing a new list leaf rather than changing the existing single leaf for ssh-key as to not break backwards compatibility.

Platform Implementations

• Implementation A: gNSI model requires support for multiple ssh keys per user:
  https://github.com/openconfig/gnsi/tree/main/credentialz#update-the-clients-authorized-key
• Implementation B: Ciena 6500
  The platform supports adding more than one public key per user

Tree View

 module: openconfig-aaa
           +--rw aaa
        |  +--rw config
        |  +--ro state
        |  +--rw authentication
        |  |  +--rw glome
        |  |  |  +--ro state
        |  |  +--rw config
        |  |  |  +--rw authentication-method*   union
        |  |  +--ro state
        |  |  |  +--ro authentication-method*   union
        |  |  +--rw admin-user
        |  |  |  +--rw config
        |  |  |  |  +--rw admin-password?          string
        |  |  |  |  +--rw admin-password-hashed?   oc-aaa-types:crypt-password-type
        |  |  |  +--ro state
        |  |  |     +--ro admin-password?          string
        |  |  |     +--ro admin-password-hashed?   oc-aaa-types:crypt-password-type
        |  |  |     +--ro admin-username?          string
        |  |  +--rw users
        |  |     +--rw user* [username]
        |  |        +--rw username    -> ../config/username
        |  |        +--rw config
        |  |        |  +--rw username?          string
        |  |        |  +--rw password?          string
        |  |        |  +--rw password-hashed?   oc-aaa-types:crypt-password-type
        |  |        |  +--rw ssh-key?           string
        |  |        |  +--rw role               union
        |  |        +--ro state
        |  |           +--ro username?          string
        |  |           +--ro password?          string
        |  |           +--ro password-hashed?   oc-aaa-types:crypt-password-type
        |  |           +--ro ssh-key?           string
        |  |           +--ro role               union
+       |  |        +---- authorized-ssh-keys
+       |  |           +---- authorized-ssh-key* [key-name]
+       |  |              +---- key-name?   -> ../config/key-name
+       |  |              +---- config
+       |  |              |  +---- key-name?             string
+       |  |              |  +---- authorized-ssh-key?   string
+       |  |              +--ro state
+       |  |                 +--ro key-name?             string
+       |  |                 +--ro authorized-ssh-key?   string

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request introduces an authorized-ssh-keys list to the OpenConfig AAA model to allow users to have multiple SSH public keys. Feedback indicates that the current placement of the list within a grouping violates OpenConfig structural standards, where lists should be siblings to config and state containers rather than nested within them. Additionally, the max-elements 10 constraint is viewed as overly restrictive, and the description for the authorized-ssh-key leaf should be updated to specify supported key formats like RSA or DSA.

[charanjith-anet]

Should this single ssh-key leaf be deprecated?