From c9c0e2bf29ac48caf7472856ebb8e5b4a0603d22 Mon Sep 17 00:00:00 2001 From: jmussmann Date: Fri, 6 Sep 2024 13:27:46 +0200 Subject: [PATCH 1/4] Feat(eos_cli_config_gen): add management_ssh authentication settings (protocol and empty-passwords) --- .../documentation/devices/management-ssh.md | 9 +++++++ .../intended/configs/management-ssh.cfg | 2 ++ .../inventory/host_vars/management-ssh.yml | 6 +++++ .../docs/tables/management-ssh.md | 12 ++++++++++ .../documentation/management-ssh.j2 | 19 +++++++++++++++ .../j2templates/eos/management-ssh.j2 | 6 +++++ .../schema/eos_cli_config_gen.schema.yml | 24 +++++++++++++++++++ .../management_ssh.schema.yml | 16 +++++++++++++ 8 files changed, 94 insertions(+) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md index 5d1f52b08a1..d1a7e9aa0ee 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md @@ -36,6 +36,13 @@ interface Management1 ### Management SSH +#### Authentication Settings + +| Authentication protocols | Empty passwords | +| ------------ | -------------- | +| keyboard-interactive,password,public-key | permit | + + #### IPv4 ACL | IPv4 ACL | VRF | @@ -75,8 +82,10 @@ management ssh ip access-group ACL-SSH in ip access-group ACL-SSH-VRF vrf mgt in idle-timeout 15 + authentication protocol keyboard-interactive password public-key connection limit 50 connection per-host 10 + authentication empty-passwords permit client-alive interval 666 client-alive count-max 42 fips restrictions diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg index f26acf54dad..df5ea4e292c 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg @@ -8,8 +8,10 @@ management ssh ip access-group ACL-SSH in ip access-group ACL-SSH-VRF vrf mgt in idle-timeout 15 + authentication protocol keyboard-interactive password public-key connection limit 50 connection per-host 10 + authentication empty-passwords permit client-alive interval 666 client-alive count-max 42 fips restrictions diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml index c49e1229585..2839de81add 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml @@ -1,4 +1,10 @@ management_ssh: + authentication: + empty_passwords: permit + protocol: + - keyboard-interactive + - password + - public-key access_groups: - name: ACL-SSH - name: ACL-SSH-VRF diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md index 1b612e87e6f..c96fc3f267c 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md @@ -8,6 +8,10 @@ | Variable | Type | Required | Default | Value Restrictions | Description | | -------- | ---- | -------- | ------- | ------------------ | ----------- | | [management_ssh](## "management_ssh") | Dictionary | | | | | + | [  authentication](## "management_ssh.authentication") | Dictionary | | | | | + | [    empty_passwords](## "management_ssh.authentication.empty_passwords") | String | | `auto` | Valid Values:
- auto
- deny
- permit | setting to allow or deny empty passwords for ssh authentication
| + | [    protocol](## "management_ssh.authentication.protocol") | List, items: String | | | | set allowed ssh authentication methods
| + | [      - <str>](## "management_ssh.authentication.protocol.[]") | String | | | Valid Values:
- keyboard-interactive
- password
- public-key | | | [  access_groups](## "management_ssh.access_groups") | List, items: Dictionary | | | | | | [    - name](## "management_ssh.access_groups.[].name") | String | | | | Standard ACL Name. | | [      vrf](## "management_ssh.access_groups.[].vrf") | String | | | | VRF Name. | @@ -43,6 +47,14 @@ ```yaml management_ssh: + authentication: + + # setting to allow or deny empty passwords for ssh authentication + empty_passwords: + + # set allowed ssh authentication methods + protocol: + - access_groups: # Standard ACL Name. diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 index 84e00836228..df82911e7e4 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 @@ -7,6 +7,25 @@ {% if management_ssh is arista.avd.defined %} ### Management SSH +{% if management_ssh.authentication is arista.avd.defined %} + +#### Authentication Settings + +| Authentication protocols | Empty passwords | +| ------------ | -------------- | +{% if management_ssh.authentication.protocol is arista.avd.defined %} +{% set protocol = management_ssh.authentication.protocol | join(",") %} +{% else %} +{% set protocol = 'keyboard-interactive public-key' %} +{% endif %} +{% if management_ssh.authentication.empty_passwords is arista.avd.defined %} +{% set empty_passwords = management_ssh.authentication.empty_passwords %} +{% else %} +{% set empty_passwords = 'auto' %} +{% endif %} +| {{ protocol }} | {{ empty_passwords }} | + +{% endif %} {% if management_ssh.access_groups is arista.avd.defined %} #### IPv4 ACL diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 index b0181d59a56..239f1cc55d8 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 @@ -30,12 +30,18 @@ management ssh {% if management_ssh.idle_timeout is arista.avd.defined %} idle-timeout {{ management_ssh.idle_timeout }} {% endif %} +{% if management_ssh.authentication is arista.avd.defined and management_ssh.authentication.protocol is arista.avd.defined %} + authentication protocol {{ management_ssh.authentication.protocol | join(" ") }} +{% endif %} {% if management_ssh.connection.limit is arista.avd.defined %} connection limit {{ management_ssh.connection.limit }} {% endif %} {% if management_ssh.connection.per_host is arista.avd.defined %} connection per-host {{ management_ssh.connection.per_host }} {% endif %} +{% if management_ssh.authentication is arista.avd.defined and management_ssh.authentication.empty_passwords is arista.avd.defined %} + authentication empty-passwords {{ management_ssh.authentication.empty_passwords }} +{% endif %} {% if management_ssh.client_alive.interval is arista.avd.defined %} client-alive interval {{ management_ssh.client_alive.interval }} {% endif %} diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml index 80488a6a724..4f4a435f69b 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml @@ -7189,6 +7189,30 @@ keys: management_ssh: type: dict keys: + authentication: + type: dict + keys: + empty_passwords: + type: str + valid_values: + - auto + - deny + - permit + description: 'setting to allow or deny empty passwords for ssh authentication + + ' + default: auto + protocol: + type: list + items: + type: str + valid_values: + - keyboard-interactive + - password + - public-key + description: 'set allowed ssh authentication methods + + ' access_groups: type: list items: diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml index 357cc48c098..53d73dec064 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml @@ -10,6 +10,22 @@ keys: management_ssh: type: dict keys: + authentication: + type: dict + keys: + empty_passwords: + type: str + valid_values: ["auto", "deny", "permit"] + description: | + setting to allow or deny empty passwords for ssh authentication + default: "auto" + protocol: + type: list + items: + type: str + valid_values: ["keyboard-interactive", "password", "public-key"] + description: | + set allowed ssh authentication methods access_groups: type: list items: From 092691227d76a04a51cdc8ddba109c10abedc7ac Mon Sep 17 00:00:00 2001 From: jmussmann Date: Fri, 6 Sep 2024 14:08:07 +0200 Subject: [PATCH 2/4] Feat(eos_cli_config_gen): add management_ssh authentication settings (protocol and empty-passwords) - changes after review --- .../documentation/devices/management-ssh.md | 5 ++--- .../inventory/host_vars/management-ssh.yml | 2 +- .../docs/tables/management-ssh.md | 12 ++++++------ .../j2templates/documentation/management-ssh.j2 | 17 ++++++----------- .../j2templates/eos/management-ssh.j2 | 6 +++--- .../schema/eos_cli_config_gen.schema.yml | 10 +++------- .../schema_fragments/management_ssh.schema.yml | 8 +++----- 7 files changed, 24 insertions(+), 36 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md index d1a7e9aa0ee..54f5e997083 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md @@ -39,9 +39,8 @@ interface Management1 #### Authentication Settings | Authentication protocols | Empty passwords | -| ------------ | -------------- | -| keyboard-interactive,password,public-key | permit | - +| ------------------------ | --------------- | +| keyboard-interactive, password, public-key | permit | #### IPv4 ACL diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml index 2839de81add..c3ca0f4826f 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml @@ -1,7 +1,7 @@ management_ssh: authentication: empty_passwords: permit - protocol: + protocols: - keyboard-interactive - password - public-key diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md index c96fc3f267c..20fd79dcd1d 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md @@ -9,9 +9,9 @@ | -------- | ---- | -------- | ------- | ------------------ | ----------- | | [management_ssh](## "management_ssh") | Dictionary | | | | | | [  authentication](## "management_ssh.authentication") | Dictionary | | | | | - | [    empty_passwords](## "management_ssh.authentication.empty_passwords") | String | | `auto` | Valid Values:
- auto
- deny
- permit | setting to allow or deny empty passwords for ssh authentication
| - | [    protocol](## "management_ssh.authentication.protocol") | List, items: String | | | | set allowed ssh authentication methods
| - | [      - <str>](## "management_ssh.authentication.protocol.[]") | String | | | Valid Values:
- keyboard-interactive
- password
- public-key | | + | [    empty_passwords](## "management_ssh.authentication.empty_passwords") | String | | `auto` | Valid Values:
- auto
- deny
- permit | Permit or deny empty passwords for SSH authentication. | + | [    protocols](## "management_ssh.authentication.protocols") | List, items: String | | | | Allowed SSH authentication methods. | + | [      - <str>](## "management_ssh.authentication.protocols.[]") | String | | | Valid Values:
- keyboard-interactive
- password
- public-key | | | [  access_groups](## "management_ssh.access_groups") | List, items: Dictionary | | | | | | [    - name](## "management_ssh.access_groups.[].name") | String | | | | Standard ACL Name. | | [      vrf](## "management_ssh.access_groups.[].vrf") | String | | | | VRF Name. | @@ -49,11 +49,11 @@ management_ssh: authentication: - # setting to allow or deny empty passwords for ssh authentication + # Permit or deny empty passwords for SSH authentication. empty_passwords: - # set allowed ssh authentication methods - protocol: + # Allowed SSH authentication methods. + protocols: - access_groups: diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 index df82911e7e4..6712ea7bdcc 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 @@ -12,19 +12,14 @@ #### Authentication Settings | Authentication protocols | Empty passwords | -| ------------ | -------------- | -{% if management_ssh.authentication.protocol is arista.avd.defined %} -{% set protocol = management_ssh.authentication.protocol | join(",") %} -{% else %} -{% set protocol = 'keyboard-interactive public-key' %} -{% endif %} -{% if management_ssh.authentication.empty_passwords is arista.avd.defined %} -{% set empty_passwords = management_ssh.authentication.empty_passwords %} +| ------------------------ | --------------- | +{% if management_ssh.authentication.protocols is arista.avd.defined %} +{% set protocols = management_ssh.authentication.protocols | join(", ") %} {% else %} -{% set empty_passwords = 'auto' %} +{% set protocols = 'keyboard-interactive public-key' %} {% endif %} -| {{ protocol }} | {{ empty_passwords }} | - +{% set empty_passwords = management_ssh.authentication.empty_passwords | arista.avd.default('auto') %} +| {{ protocols }} | {{ empty_passwords }} | {% endif %} {% if management_ssh.access_groups is arista.avd.defined %} diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 index 239f1cc55d8..421217afdc6 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 @@ -30,8 +30,8 @@ management ssh {% if management_ssh.idle_timeout is arista.avd.defined %} idle-timeout {{ management_ssh.idle_timeout }} {% endif %} -{% if management_ssh.authentication is arista.avd.defined and management_ssh.authentication.protocol is arista.avd.defined %} - authentication protocol {{ management_ssh.authentication.protocol | join(" ") }} +{% if management_ssh.authentication.protocols is arista.avd.defined %} + authentication protocol {{ management_ssh.authentication.protocols | join(" ") }} {% endif %} {% if management_ssh.connection.limit is arista.avd.defined %} connection limit {{ management_ssh.connection.limit }} @@ -39,7 +39,7 @@ management ssh {% if management_ssh.connection.per_host is arista.avd.defined %} connection per-host {{ management_ssh.connection.per_host }} {% endif %} -{% if management_ssh.authentication is arista.avd.defined and management_ssh.authentication.empty_passwords is arista.avd.defined %} +{% if management_ssh.authentication.empty_passwords is arista.avd.defined %} authentication empty-passwords {{ management_ssh.authentication.empty_passwords }} {% endif %} {% if management_ssh.client_alive.interval is arista.avd.defined %} diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml index 4f4a435f69b..d10943d32f8 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml @@ -7198,11 +7198,9 @@ keys: - auto - deny - permit - description: 'setting to allow or deny empty passwords for ssh authentication - - ' + description: Permit or deny empty passwords for SSH authentication. default: auto - protocol: + protocols: type: list items: type: str @@ -7210,9 +7208,7 @@ keys: - keyboard-interactive - password - public-key - description: 'set allowed ssh authentication methods - - ' + description: Allowed SSH authentication methods. access_groups: type: list items: diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml index 53d73dec064..1f0b371dcba 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml @@ -16,16 +16,14 @@ keys: empty_passwords: type: str valid_values: ["auto", "deny", "permit"] - description: | - setting to allow or deny empty passwords for ssh authentication + description: Permit or deny empty passwords for SSH authentication. default: "auto" - protocol: + protocols: type: list items: type: str valid_values: ["keyboard-interactive", "password", "public-key"] - description: | - set allowed ssh authentication methods + description: Allowed SSH authentication methods. access_groups: type: list items: From 5d69027a083af8c90fc685718be49421b8b6611f Mon Sep 17 00:00:00 2001 From: jmussmann Date: Fri, 6 Sep 2024 14:23:22 +0200 Subject: [PATCH 3/4] Feat(eos_cli_config_gen): add management_ssh authentication settings (protocol and empty-passwords) - changes after review --- .../j2templates/documentation/management-ssh.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 index 6712ea7bdcc..9fe10435bfc 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 @@ -16,11 +16,11 @@ {% if management_ssh.authentication.protocols is arista.avd.defined %} {% set protocols = management_ssh.authentication.protocols | join(", ") %} {% else %} -{% set protocols = 'keyboard-interactive public-key' %} +{% set protocols = 'keyboard-interactive, public-key' %} {% endif %} {% set empty_passwords = management_ssh.authentication.empty_passwords | arista.avd.default('auto') %} | {{ protocols }} | {{ empty_passwords }} | -{% endif %} +{% endif %} {% if management_ssh.access_groups is arista.avd.defined %} #### IPv4 ACL From 4b7e1eb54405a6f9e82afeb530cf17a7aecf8be9 Mon Sep 17 00:00:00 2001 From: jmussmann Date: Fri, 6 Sep 2024 15:10:24 +0200 Subject: [PATCH 4/4] Feat(eos_cli_config_gen): add management_ssh authentication settings (protocol and empty-passwords) - changes after review - remove default for empty_passwords --- .../roles/eos_cli_config_gen/docs/tables/management-ssh.md | 4 ++-- .../_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml | 1 - .../schema/schema_fragments/management_ssh.schema.yml | 1 - 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md index 20fd79dcd1d..c9b7bd83c63 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md @@ -9,7 +9,7 @@ | -------- | ---- | -------- | ------- | ------------------ | ----------- | | [management_ssh](## "management_ssh") | Dictionary | | | | | | [  authentication](## "management_ssh.authentication") | Dictionary | | | | | - | [    empty_passwords](## "management_ssh.authentication.empty_passwords") | String | | `auto` | Valid Values:
- auto
- deny
- permit | Permit or deny empty passwords for SSH authentication. | + | [    empty_passwords](## "management_ssh.authentication.empty_passwords") | String | | | Valid Values:
- auto
- deny
- permit | Permit or deny empty passwords for SSH authentication. | | [    protocols](## "management_ssh.authentication.protocols") | List, items: String | | | | Allowed SSH authentication methods. | | [      - <str>](## "management_ssh.authentication.protocols.[]") | String | | | Valid Values:
- keyboard-interactive
- password
- public-key | | | [  access_groups](## "management_ssh.access_groups") | List, items: Dictionary | | | | | @@ -50,7 +50,7 @@ authentication: # Permit or deny empty passwords for SSH authentication. - empty_passwords: + empty_passwords: # Allowed SSH authentication methods. protocols: diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml index d10943d32f8..1bd9f63956a 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml @@ -7199,7 +7199,6 @@ keys: - deny - permit description: Permit or deny empty passwords for SSH authentication. - default: auto protocols: type: list items: diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml index 1f0b371dcba..a2ba18dc9df 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml @@ -17,7 +17,6 @@ keys: type: str valid_values: ["auto", "deny", "permit"] description: Permit or deny empty passwords for SSH authentication. - default: "auto" protocols: type: list items: