MID Server SSH cryptographic algorithms

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server SSH cryptographic algorithms

    The MID Server uses SSH clients to perform various discovery actions by establishing secure connections through SSH handshakes. During this handshake, the client and server negotiate supported cryptographic algorithms and select the highest priority algorithm compatible with both parties. This process applies to key exchange, host key, cipher, and MAC algorithms, ensuring secure communication in discovery tasks.

    Show full answer Show less

    Key Features

    • Default Supported Algorithms: The MID Server supports a prioritized list of algorithms for key exchange (e.g., ecdh-sha2-nistp256, diffie-hellman-group14-sha256), host key (e.g., ssh-ed25519, rsa-sha2-512), cipher (e.g., aes128-ctr, aes256-cbc), and MAC (e.g., hmac-sha2-256, hmac-md5) operations.
    • Algorithm Selection: The client selects the highest priority algorithm supported by both client and server for each category, matching the key type for host key algorithms.
    • Customization of Algorithm Priorities: Customers can customize the SSH algorithm priorities through specific MID Server properties:
      • Key Exchange: mid.ssh.algorithms.kex
      • Host Key: mid.ssh.algorithms.hostkey
      • Cipher: mid.ssh.algorithms.cipher
      • MAC: mid.ssh.algorithms.mac
    • Property Configuration: The properties accept comma-separated lists to define algorithm priority. Operators allow appending (+), removing (-), or prioritizing (^) algorithms relative to the default list.
    • Glide Import Exception: Glide Import operations use default algorithms and are not affected by these MID Server properties as they run on the instance rather than the MID Server. SNCSSH is used for Glide Import SFTP and SCP instead.

    Practical Implications for ServiceNow Customers

    • You can tailor SSH cryptographic algorithm priorities on the MID Server to meet specific security requirements or compliance standards.
    • Understanding and adjusting these settings enables stronger security during discovery and remote command executions that rely on SSH connections.
    • Since Glide Import operates differently, ensure its SSH needs are managed separately from the MID Server settings.
    • Familiarity with the operators (+, -, ^) allows fine control over algorithm lists without completely replacing defaults, facilitating incremental security improvements.

    The MID Server utilizes SSH clients to perform many discovery actions. During the SSH handshake, both the client and server first determine which algorithms both parties support, then client picks the highest priority algorithm. For the Host Key Algorithm, the client picks highest priority algorithm which both parties support that matches the key type.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    Default supported SSH algorithms by priority

    Key Exchange Algorithm
    1. ecdh-sha2-nistp256
    2. ecdh-sha2-nistp384​
    3. ecdh-sha2-nistp521​
    4. diffie-hellman-group-exchange-sha256​
    5. diffie-hellman-group14-sha256​
    6. diffie-hellman-group16-sha512​
    7. diffie-hellman-group14-sha1​
    8. diffie-hellman-group1-sha1​
    9. diffie-hellman-group-exchange-sha1
    Host Key Algorithm​ (used for public key signature during authentication)
    1. ssh-ed25519-cert-v01@openssh.com
    2. rsa-sha2-512-cert-v01@openssh.com
    3. rsa-sha2-256-cert-v01@openssh.com
    4. ssh-ed25519
    5. ecdsa-sha2-nistp256
    6. ecdsa-sha2-nistp384
    7. ecdsa-sha2-nistp521
    8. rsa-sha2-512
    9. rsa-sha2-256
    10. ssh-rsa-cert-v01@openssh.com
    11. ssh-rsa
    12. ssh-dss
    Cipher Algorithm​
    1. aes128-ctr​
    2. aes192-ctr​
    3. aes256-ctr​
    4. aes128-cbc​
    5. aes192-cbc​
    6. aes256-cbc​
    MAC Algorithm
    1. hmac-sha2-256​
    2. hmac-sha1​
    3. hmac-sha2-512​
    4. hmac-sha1-96​
    5. hmac-md5-96​
    6. hmac-md5

    Customize the SSH algorithms priority list

    The MID Server SSH algorithm priorities can be customized based on security needs. Each algorithm is controlled by one of the following MID Server properties.

    Note:
    Glide Import on the instance uses the default algorithm list. The four MID Server properties do not affect Glide Import because it is not run on the MID server. SNCSSH is used for Glide Import on instance for SFTP and SCP.

    • Key Exchange algorithms: mid.ssh.algorithms.kex

    • Host Key algorithms: mid.ssh.algorithms.host_key

    • Cipher algorithms: mid.ssh.algorithms.cipher

    • MAC algorithms: mid.ssh.algorithms.mac

    The properties accept comma separated lists with operators. The first name in the list is highest priority, last name in list is lowest priority. Adding a comma separated list without any operators replaces the default algorithm list. The following operators are based on the OpenSSH standard syntax and modify the algorithm priority list.
    • The + operator appends the comma separated list of algorithms to the default algorithm list.
    • The - operator removes the comma separated list of algorithms from the default algorithm list.
    • The ^ operator places the comma separated list of algorithms at the front of the default algorithm list.
    The MID Server properties using the operators to customize the SSH algorithm lists.