diff -Nru pam-ssh-agent-auth-0.10.3/debian/changelog pam-ssh-agent-auth-0.10.3/debian/changelog
--- pam-ssh-agent-auth-0.10.3/debian/changelog	2020-04-10 18:48:27.000000000 +0200
+++ pam-ssh-agent-auth-0.10.3/debian/changelog	2022-03-17 15:31:12.000000000 +0100
@@ -1,3 +1,13 @@
+pam-ssh-agent-auth (0.10.3-3ubuntu1.21.10.1) impish; urgency=medium
+
+  * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
+    encoding for key fingerprints.  MD5 fingerprints are deprecated,
+    OpenSSH has switched to SHA256 since OpenSSH 6.8.
+    This will make the fingerprints compatible with ssh-keygen -l and allow
+    the package to work in FIPS mode. (LP: #1964486)
+
+ -- Tobias Heider <tobias.heider@canonical.com>  Thu, 17 Mar 2022 15:31:12 +0100
+
 pam-ssh-agent-auth (0.10.3-3ubuntu1) focal; urgency=medium
 
   * Fix segfault when using ECDSA keys (LP: #1869512)
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
--- pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch	1970-01-01 01:00:00.000000000 +0100
+++ pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch	2022-03-17 15:31:12.000000000 +0100
@@ -0,0 +1,116 @@
+Description: Switch key fingerprint hash algorithm from MD5 to SHA256.
+ Use the newer base64 encoding format introduced in OpenSSH 6.8 to produce
+ fingerprints compatible with ssh-keygen -l.
+Forwarded: yes
+Bug: https://github.com/jbeverly/pam_ssh_agent_auth/pull/37
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486
+Author: Tobias Heider <tobias.heider@canonical.com>
+
+Index: pam-ssh-agent-auth-0.10.3/key.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.c
++++ pam-ssh-agent-auth-0.10.3/key.c
+@@ -281,11 +281,8 @@ pamsshagentauth_key_fingerprint_raw(cons
+ 	*dgst_raw_length = 0;
+ 
+ 	switch (dgst_type) {
+-	case SSH_FP_MD5:
+-		md = EVP_md5();
+-		break;
+-	case SSH_FP_SHA1:
+-		md = EVP_sha1();
++	case SSH_FP_SHA256:
++		md = EVP_sha256();
+ 		break;
+ 	default:
+ 		pamsshagentauth_fatal("key_fingerprint_raw: bad digest type %d",
+@@ -338,6 +335,31 @@ pamsshagentauth_key_fingerprint_raw(cons
+ }
+ 
+ static char *
++key_fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
++{
++	char *ret;
++	size_t plen = strlen(alg) + 1;
++	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
++	int r;
++
++	if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
++		return NULL;
++	pamsshagentauth_strlcpy(ret, alg, rlen);
++	pamsshagentauth_strlcat(ret, ":", rlen);
++	if (dgst_raw_len == 0)
++		return ret;
++	if ((r = pamsshagentauth___b64_ntop(dgst_raw, dgst_raw_len,
++	    ret + plen, rlen - plen)) == -1) {
++		explicit_bzero(ret, rlen);
++		free(ret);
++		return NULL;
++	}
++	/* Trim padding characters from end */
++	ret[strcspn(ret, "=")] = '\0';
++	return ret;
++}
++
++static char *
+ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
+ {
+ 	char *retval;
+@@ -405,6 +427,7 @@ key_fingerprint_bubblebabble(u_char *dgs
+ char *
+ pamsshagentauth_key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
+ {
++	const char *dgst_name;
+ 	char *retval = NULL;
+ 	u_char *dgst_raw;
+ 	u_int dgst_raw_len;
+@@ -416,6 +439,16 @@ pamsshagentauth_key_fingerprint(const Ke
+ 	case SSH_FP_HEX:
+ 		retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
+ 		break;
++	case SSH_FP_BASE64:
++		switch (dgst_type) {
++		case SSH_FP_SHA256:
++			dgst_name = "SHA256";
++			break;
++		default:
++			goto done;
++		}
++		retval = key_fingerprint_b64(dgst_name, dgst_raw, dgst_raw_len);
++		break;
+ 	case SSH_FP_BUBBLEBABBLE:
+ 		retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
+ 		break;
+@@ -424,6 +457,7 @@ pamsshagentauth_key_fingerprint(const Ke
+ 		    dgst_rep);
+ 		break;
+ 	}
++ done:
+ 	memset(dgst_raw, 0, dgst_raw_len);
+ 	pamsshagentauth_xfree(dgst_raw);
+ 	return retval;
+Index: pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/pam_user_key_allowed2.c
++++ pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+@@ -102,7 +102,7 @@ pamsshagentauth_check_authkeys_file(FILE
+             found_key = 1;
+             pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
+                                   linenum);
+-            fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
++            fp = pamsshagentauth_key_fingerprint(found, SSH_FP_SHA256, SSH_FP_BASE64);
+             pamsshagentauth_logit("Found matching %s key: %s",
+                                   pamsshagentauth_key_type(found), fp);
+             pamsshagentauth_xfree(fp);
+Index: pam-ssh-agent-auth-0.10.3/key.h
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.h
++++ pam-ssh-agent-auth-0.10.3/key.h
+@@ -50,6 +50,7 @@ enum fp_type {
+ };
+ enum fp_rep {
+ 	SSH_FP_HEX,
++	SSH_FP_BASE64,
+ 	SSH_FP_BUBBLEBABBLE
+ };
+ 
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/series pam-ssh-agent-auth-0.10.3/debian/patches/series
--- pam-ssh-agent-auth-0.10.3/debian/patches/series	2020-04-10 18:48:24.000000000 +0200
+++ pam-ssh-agent-auth-0.10.3/debian/patches/series	2022-03-17 15:31:12.000000000 +0100
@@ -2,3 +2,4 @@
 openssl-1.1.1-1.patch
 openssl-1.1.1-2.patch
 lp1869512.patch
+fingerprint_sha256.patch