Use host_256_fingerprint for diego-ssh

[winkingturtle-vmw]

Proposed Change

As a developer
I want to use host_256_fingerprint on desired-lrp for checksumming the SSH keys if present
so that when CAPI requests a desired-lrps with SHA256, diego-ssh uses a more secure hashing algorithm

Context

Previously we have tried to be clever and use the length of the fingerprint to determine the hashing algorithm in one and two attempts. This implementation requires diego-release to have been updated to support SHA256 before capi-release can send out the SHA256 fingerprint. Since capi-release is first in deployment order, this means that in order to get this feature, we'd have to have a multiple deployments. This shortcoming could be avoided if capi just added a new field host_256_fingerprint to the desired LRP and diego-ssh used that field if present and if not, it would fallback to the old behavior.

Implementation

Revert the following PRs

• Add Support for SHA256 in diego-ssh diego-ssh#59
• Use the correct package for SHA256 diego-ssh#63

and re-implement the logic to instead of using length to determine the hashing algorithm, use the host_256_fingerprint field for SHA256 and fallback to fingerprint and length if the value is empty.

Acceptance criteria

Scenario: Before deploying the changes introduced in this PR
Given I have deployed a CF with this change
Then I can cf ssh into the app using the old SHA1 hashing algorithm

Scenario: After deploying the changes introduced in this PR
Given I have deployed a CF with this change
Then I can cf ssh into the app using the SHA256 hashing algorithm

Related links

• Add support for SHA256 fingerprint for diego-ssh cloud_controller_ng#4380

[PlamenDoychev]

@winkingturtle-vmw is this issue still relevant or we can close it as the PRs mentioned are already merged?

[winkingturtle-vmw]

I don't think we've done the work for this yet for diego