MID Server SSH cryptographic algorithms

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server SSH cryptographic algorithms

    The MID Server uses SSH clients to execute various discovery actions, establishing secure connections through an SSH handshake. During this handshake, the client and server negotiate supported cryptographic algorithms and select the highest priority algorithm compatible with both parties. This process ensures secure authentication and data exchange.

    Show full answer Show less

    Key Features

    • Default SSH Algorithm Priorities: The MID Server supports multiple algorithms across four categories prioritized by default:
      • Key Exchange Algorithms: Includes ecdh-sha2 variants, diffie-hellman groups with SHA variants, and others.
      • Host Key Algorithms: Used for public key signatures during authentication, including ssh-ed25519, rsa-sha2 variants, ecdsa, ssh-rsa, and ssh-dss.
      • Cipher Algorithms: Covers aes128-ctr, aes192-ctr, aes256-ctr, and CBC modes.
      • MAC Algorithms: Includes hmac-sha2-256, hmac-sha1, hmac-sha2-512, and others.
    • Customization of Algorithm Priorities: Customers can tailor the MID Server’s SSH algorithm priorities to meet specific security requirements using dedicated MID Server properties:
      • mid.ssh.algorithms.kex (Key Exchange)
      • mid.ssh.algorithms.hostkey (Host Key)
      • mid.ssh.algorithms.cipher (Cipher)
      • mid.ssh.algorithms.mac (MAC)
      These properties accept comma-separated lists with operators (+ to append, - to remove, ^ to prioritize) based on OpenSSH syntax, allowing precise control over algorithm selection and order.
    • Important Note: Glide Import operations on the instance use default algorithm lists and are not affected by these MID Server properties, as they run on the instance rather than the MID Server. Instead, SNCSSH handles SFTP and SCP for Glide Import.

    Practical Implications

    • By understanding and customizing SSH algorithms, ServiceNow customers can enhance the security posture of their MID Servers according to organizational policies or compliance requirements.
    • Proper configuration ensures compatibility with SSH servers and avoids handshake failures due to unsupported algorithms.
    • This capability supports integration scenarios requiring strong cryptographic standards and can aid in meeting security audits or governance mandates.

    The MID Server utilizes SSH clients to perform many discovery actions. During the SSH handshake, both the client and server first determine which algorithms both parties support, then client picks the highest priority algorithm. For the Host Key Algorithm, the client picks highest priority algorithm which both parties support that matches the key type.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    Default supported SSH algorithms by priority

    Key Exchange Algorithm
    1. ecdh-sha2-nistp256
    2. ecdh-sha2-nistp384​
    3. ecdh-sha2-nistp521​
    4. diffie-hellman-group-exchange-sha256​
    5. diffie-hellman-group14-sha256​
    6. diffie-hellman-group16-sha512​
    7. diffie-hellman-group14-sha1​
    8. diffie-hellman-group1-sha1​
    9. diffie-hellman-group-exchange-sha1
    Host Key Algorithm​ (used for public key signature during authentication)
    1. ssh-ed25519-cert-v01@openssh.com
    2. rsa-sha2-512-cert-v01@openssh.com
    3. rsa-sha2-256-cert-v01@openssh.com
    4. ssh-ed25519
    5. ecdsa-sha2-nistp256
    6. ecdsa-sha2-nistp384
    7. ecdsa-sha2-nistp521
    8. rsa-sha2-512
    9. rsa-sha2-256
    10. ssh-rsa-cert-v01@openssh.com
    11. ssh-rsa
    12. ssh-dss
    Cipher Algorithm​
    1. aes128-ctr​
    2. aes192-ctr​
    3. aes256-ctr​
    4. aes128-cbc​
    5. aes192-cbc​
    6. aes256-cbc​
    MAC Algorithm
    1. hmac-sha2-256​
    2. hmac-sha1​
    3. hmac-sha2-512​
    4. hmac-sha1-96​
    5. hmac-md5-96​
    6. hmac-md5

    Customize the SSH algorithms priority list

    The MID Server SSH algorithm priorities can be customized based on security needs. Each algorithm is controlled by one of the following MID Server properties.

    Note:
    Glide Import on the instance uses the default algorithm list. The four MID Server properties do not affect Glide Import because it is not run on the MID server. SNCSSH is used for Glide Import on instance for SFTP and SCP.

    • Key Exchange algorithms: mid.ssh.algorithms.kex

    • Host Key algorithms: mid.ssh.algorithms.host_key

    • Cipher algorithms: mid.ssh.algorithms.cipher

    • MAC algorithms: mid.ssh.algorithms.mac

    The properties accept comma separated lists with operators. The first name in the list is highest priority, last name in list is lowest priority. Adding a comma separated list without any operators replaces the default algorithm list. The following operators are based on the OpenSSH standard syntax and modify the algorithm priority list.
    • The + operator appends the comma separated list of algorithms to the default algorithm list.
    • The - operator removes the comma separated list of algorithms from the default algorithm list.
    • The ^ operator places the comma separated list of algorithms at the front of the default algorithm list.
    The MID Server properties using the operators to customize the SSH algorithm lists.