Add support for SSH CAs

[johnmaguire]

This adds support for configuring SSH CAs. The SSH server will accept authentication for any valid certificate signed by an SSH CA, assuming that the user they connect with matches a principal in the certificate - if no principals are defined in the cert, then any username can be used.

This is a step towards #1076, but does not implement group access control.

While working on this PR I noticed that removing authorized keys from the SSH configuration does not take effect upon reload. wireSSHReload calls configSSH with the existing server, and SSHServer.ClearAuthorizedKeys is not called anywhere in the codebase.

For this reason, I opted for the same behavior with CAs. I can fix this if it's a bug.

[johnmaguire]

In #1076, it was requested that this support a concept of "groups" as SSH certificate principals. In other words, when creating a certificate, you would specify groups (e.g. dev, ops, support.) In the Nebula config file, you'd have a list of allowed_princpials which would only allow certificates containing one of these principals. I imagine this would be a per-CA option (and should alternatively allow for an "any" rule, omitting the list.)

This could get a little awkward though - the current implementation requires that the username you connect with match a principal in the certificate. Ultimately however, the debug SSH server has no concept of permissions, so this username is only used for logging purposes. We could remove the username restriction and update the log line to record both the "key ID" and all principals, in the case of an SSH cert.