MID Server SSH cryptographic algorithms

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server SSH cryptographic algorithms

    The MID Server uses SSH clients for discovery actions, negotiating cryptographic algorithms during the SSH handshake. Both client and server determine supported algorithms, with the client selecting the highest priority algorithm that both support, especially matching the Host Key Algorithm to the key type. Understanding and managing these algorithms is essential for securing SSH communications between MID Server and remote systems.

    Show full answer Show less

    Default Supported SSH Algorithms

    • Key Exchange Algorithms: Includes ecdh-sha2 variants (nistp256, nistp384, nistp521), diffie-hellman group exchanges (group-exchange-sha256, group14-sha256, group16-sha512), and legacy groups (group14-sha1, group1-sha1, group-exchange-sha1).
    • Host Key Algorithms: Used for public key signatures during authentication, including ssh-ed25519-cert, rsa-sha2-cert, ecdsa-sha2 variants, ssh-rsa, and ssh-dss.
    • Cipher Algorithms: AES variants in CTR and CBC modes (aes128, aes192, aes256).
    • MAC Algorithms: Includes hmac-sha2-256, hmac-sha1, hmac-sha2-512, and legacy hmac-md5 variants.

    Customizing SSH Algorithm Priorities

    ServiceNow customers can tailor MID Server SSH algorithm priorities to meet specific security requirements by modifying MID Server properties. These properties accept comma-separated lists where the order defines priority:

    • Key Exchange algorithms: mid.ssh.algorithms.kex
    • Host Key algorithms: mid.ssh.algorithms.hostkey
    • Cipher algorithms: mid.ssh.algorithms.cipher
    • MAC algorithms: mid.ssh.algorithms.mac

    Operators based on OpenSSH syntax enable flexible adjustments:

    • + appends algorithms to the default list
    • - removes algorithms from the default list
    • ^ places algorithms at the front of the default list

    Note: The Glide Import feature on the instance uses default SSH algorithms and is not affected by these MID Server properties, as it uses SNCSSH for SFTP and SCP directly on the instance.

    Practical Implications for ServiceNow Customers

    By customizing SSH algorithms, customers can enforce stronger security standards, comply with organizational policies, and manage compatibility with target systems. Understanding and managing these settings helps ensure secure and reliable discovery actions performed by the MID Server over SSH.

    The MID Server utilizes SSH clients to perform many discovery actions. During the SSH handshake, both the client and server first determine which algorithms both parties support, then client picks the highest priority algorithm. For the Host Key Algorithm, the client picks highest priority algorithm which both parties support that matches the key type.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    Default supported SSH algorithms by priority

    Key Exchange Algorithm
    1. ecdh-sha2-nistp256
    2. ecdh-sha2-nistp384​
    3. ecdh-sha2-nistp521​
    4. diffie-hellman-group-exchange-sha256​
    5. diffie-hellman-group14-sha256​
    6. diffie-hellman-group16-sha512​
    7. diffie-hellman-group14-sha1​
    8. diffie-hellman-group1-sha1​
    9. diffie-hellman-group-exchange-sha1
    Host Key Algorithm​ (used for public key signature during authentication)
    1. ssh-ed25519-cert-v01@openssh.com
    2. rsa-sha2-512-cert-v01@openssh.com
    3. rsa-sha2-256-cert-v01@openssh.com
    4. ssh-ed25519
    5. ecdsa-sha2-nistp256
    6. ecdsa-sha2-nistp384
    7. ecdsa-sha2-nistp521
    8. rsa-sha2-512
    9. rsa-sha2-256
    10. ssh-rsa-cert-v01@openssh.com
    11. ssh-rsa
    12. ssh-dss
    Cipher Algorithm​
    1. aes128-ctr​
    2. aes192-ctr​
    3. aes256-ctr​
    4. aes128-cbc​
    5. aes192-cbc​
    6. aes256-cbc​
    MAC Algorithm
    1. hmac-sha2-256​
    2. hmac-sha1​
    3. hmac-sha2-512​
    4. hmac-sha1-96​
    5. hmac-md5-96​
    6. hmac-md5

    Customize the SSH algorithms priority list

    The MID Server SSH algorithm priorities can be customized based on security needs. Each algorithm is controlled by one of the following MID Server properties.

    Note:
    Glide Import on the instance uses the default algorithm list. The four MID Server properties do not affect Glide Import because it is not run on the MID server. SNCSSH is used for Glide Import on instance for SFTP and SCP.

    • Key Exchange algorithms: mid.ssh.algorithms.kex

    • Host Key algorithms: mid.ssh.algorithms.host_key

    • Cipher algorithms: mid.ssh.algorithms.cipher

    • MAC algorithms: mid.ssh.algorithms.mac

    The properties accept comma separated lists with operators. The first name in the list is highest priority, last name in list is lowest priority. Adding a comma separated list without any operators replaces the default algorithm list. The following operators are based on the OpenSSH standard syntax and modify the algorithm priority list.
    • The + operator appends the comma separated list of algorithms to the default algorithm list.
    • The - operator removes the comma separated list of algorithms from the default algorithm list.
    • The ^ operator places the comma separated list of algorithms at the front of the default algorithm list.
    The MID Server properties using the operators to customize the SSH algorithm lists.