MID Server SSH cryptographic algorithms

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server SSH cryptographic algorithms

    The MID Server uses SSH clients for various discovery actions, establishing secure connections through an SSH handshake. During this handshake, both client and server negotiate supported cryptographic algorithms, selecting the highest priority mutually supported algorithm for each category. Understanding and managing these algorithms is critical for securing communications and ensuring compatibility with target systems.

    Show full answer Show less

    Key Features

    • Default Supported SSH Algorithms:
      • Key Exchange Algorithms: Includes ecdh-sha2 variants, diffie-hellman groups with SHA-256, SHA-512, and SHA-1.
      • Host Key Algorithms: Used for public key signature during authentication; includes ssh-ed25519, rsa-sha2 variants, ecdsa-sha2 variants, ssh-rsa, ssh-dss, and their certificate forms.
      • Cipher Algorithms: Includes AES in CTR and CBC modes with 128-, 192-, and 256-bit keys.
      • MAC Algorithms: Includes various HMACs such as hmac-sha2-256, hmac-sha1, hmac-sha2-512, and md5 variants.
    • Customizing Algorithm Priorities: Customers can modify the priority and selection of SSH algorithms via MID Server properties for each algorithm category:
      • mid.ssh.algorithms.kex for Key Exchange
      • mid.ssh.algorithms.hostkey for Host Key
      • mid.ssh.algorithms.cipher for Cipher
      • mid.ssh.algorithms.mac for MAC
      These properties accept comma-separated lists and support OpenSSH-style operators to append (+), remove (-), or prioritize (^) algorithms in the list.
    • Important Notes:
      • The MID Server properties do not affect Glide Import tasks, as Glide Import uses the instance-side SNCSSH client instead of the MID Server's SSH client.
      • Proper configuration of these algorithms helps align with security policies and compliance requirements.

    Practical Implications for ServiceNow Customers

    By understanding and customizing SSH cryptographic algorithms, ServiceNow customers can:

    • Ensure secure and compatible SSH connections for MID Server discovery and other operations.
    • Adapt algorithm priorities to meet organizational security standards or to comply with regulatory frameworks.
    • Resolve interoperability issues with SSH servers that require specific algorithms or disallow deprecated ones.
    • Maintain control over cryptographic settings without impacting instance-side functions like Glide Import.

    Customers should consider reviewing related security features such as MID Server certificate policies, mutual authentication, and FIPS enforcement to complement SSH algorithm configuration.

    The MID Server utilizes SSH clients to perform many discovery actions. During the SSH handshake, both the client and server first determine which algorithms both parties support, then client picks the highest priority algorithm. For the Host Key Algorithm, the client picks highest priority algorithm which both parties support that matches the key type.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    Default supported SSH algorithms by priority

    Key Exchange Algorithm
    1. ecdh-sha2-nistp256
    2. ecdh-sha2-nistp384​
    3. ecdh-sha2-nistp521​
    4. diffie-hellman-group-exchange-sha256​
    5. diffie-hellman-group14-sha256​
    6. diffie-hellman-group16-sha512​
    7. diffie-hellman-group14-sha1​
    8. diffie-hellman-group1-sha1​
    9. diffie-hellman-group-exchange-sha1
    Host Key Algorithm​ (used for public key signature during authentication)
    1. ssh-ed25519-cert-v01@openssh.com
    2. rsa-sha2-512-cert-v01@openssh.com
    3. rsa-sha2-256-cert-v01@openssh.com
    4. ssh-ed25519
    5. ecdsa-sha2-nistp256
    6. ecdsa-sha2-nistp384
    7. ecdsa-sha2-nistp521
    8. rsa-sha2-512
    9. rsa-sha2-256
    10. ssh-rsa-cert-v01@openssh.com
    11. ssh-rsa
    12. ssh-dss
    Cipher Algorithm​
    1. aes128-ctr​
    2. aes192-ctr​
    3. aes256-ctr​
    4. aes128-cbc​
    5. aes192-cbc​
    6. aes256-cbc​
    MAC Algorithm
    1. hmac-sha2-256​
    2. hmac-sha1​
    3. hmac-sha2-512​
    4. hmac-sha1-96​
    5. hmac-md5-96​
    6. hmac-md5

    Customize the SSH algorithms priority list

    The MID Server SSH algorithm priorities can be customized based on security needs. Each algorithm is controlled by one of the following MID Server properties.

    Note:
    Glide Import on the instance uses the default algorithm list. The four MID Server properties do not affect Glide Import because it is not run on the MID server. SNCSSH is used for Glide Import on instance for SFTP and SCP.

    • Key Exchange algorithms: mid.ssh.algorithms.kex

    • Host Key algorithms: mid.ssh.algorithms.host_key

    • Cipher algorithms: mid.ssh.algorithms.cipher

    • MAC algorithms: mid.ssh.algorithms.mac

    The properties accept comma separated lists with operators. The first name in the list is highest priority, last name in list is lowest priority. Adding a comma separated list without any operators replaces the default algorithm list. The following operators are based on the OpenSSH standard syntax and modify the algorithm priority list.
    • The + operator appends the comma separated list of algorithms to the default algorithm list.
    • The - operator removes the comma separated list of algorithms from the default algorithm list.
    • The ^ operator places the comma separated list of algorithms at the front of the default algorithm list.
    The MID Server properties using the operators to customize the SSH algorithm lists.