don't use paramiko's get_fingerprint (md5)

In order for n-g-s to be able to run on a node in FIPS enforcing mode,
it *must* not use md5. However, paramiko's code has a get_fingerprint
call where it is fingerprinting data for the exchange to identify
a difference, which can use any algorithm realistically.

Anyhow, this is necessary because it appears that paramiko's maintainer
is not really interested in fixing the md5 usage. As a result, we're
forced to monkeypatch paramiko, which is loaded by netmiko, which is
what NGS uses.

This should be fixed in paramiko, but also it seems several changes
been proposed without forward movement.

https: //github.com/paramiko/paramiko/pull/688
https: //github.com/paramiko/paramiko/pull/1103
https: //github.com/paramiko/paramiko/pull/2189
https: //github.com/paramiko/paramiko/pull/2496
https: //github.com/paramiko/paramiko/issues/2383
https: //github.com/paramiko/paramiko/issues/396
Related-Bug: 2098819
Change-Id: Ia3fb9d2baa14be1726197d1115e92adc9ce5ce0a

Author: juliakreger

networking_generic_switch/devices/netmiko_devices/__init__.py

@@ -15,12 +15,14 @@
 import atexit
 import contextlib
 import functools
+import hashlib
 import uuid
 
 import netmiko
 from oslo_config import cfg
 from oslo_log import log as logging
-import paramiko
+from paramiko import PKey as _pkey  # noqa - This is for a monkeypatch
+import paramiko  # noqa - Must load after the patch
 import tenacity
 from tooz import coordination
 
@@ -30,6 +32,11 @@
 from networking_generic_switch import exceptions as exc
 from networking_generic_switch import locking as ngs_lock
 
+# NOTE(TheJulia) monkey patch paramiko's get_finerprint function
+# to use sha256 instead of md5, since Paramiko's maintainer doesn't
+# seem to be concerned about FIPS compliance.
+_pkey.get_fingerprint = lambda x: hashlib.sha256(x.asbytes()).digest()
+
 LOG = logging.getLogger(__name__)
 CONF = cfg.CONF