Use SHA256 instead of MD5 for key fingerprints

[tobhe]

We ran into problems using this module when running in FIPS mode. MD5 is not allowed with FIPS and in general probably not a good idea to use for key fingerprints anymore.

I propose switching to SHA256 which upstream OpenSSH appears to use by default since OpenSSH 6.8. The PR also changes the format of SSH fingerprints from hex encoding to base64 with appended hash name for compatibility with upstream fingerprints.

[tobhe]

Here is a little before and after from my last round of tests. With md5 and hex encoding:

pam_ssh_agent_auth: Found matching RSA key: c9:20:ff:09:15:7b:a2:e6:59:e3:a7:4a:60:0c:4f:61:1a:60:07:c9:d2:98:76:7f:71:4f:2f:d2:fc:00:c1:7d

vs sha256 in base64:

pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0

Which now matches the output of $ ssh-keygen -lf ~/.ssh/id_rsa.pub:

4096 SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 (RSA)