Add support for openssh certificates

[VAveryanov8]

Hi there,

Many companies for security reasons allow ssh connections only with private key and user certificate.
Current default behavior of openssh while we what to establish connection with private key (for example: ~/.ssh/bastion-key) is try to load public certificate for that key with "-cert.pub" postfix (for example: ~/.ssh/bastion-key-cert.pub) if no certificates was explicitly specified by the CertificateFile directive in ssh client config.
More about this behavior - http://man.openbsd.org/ssh#i
More about openssh certificates: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=1.10

I propose to add new connection argument "bastion_user_cert".
Then connection via bastion host that require certificate file will looks like:

connection {
  agent               = "false"
  user                = "ec2-user"
  host                = "${aws_instance.name.private_ip}"
  private_key         = "${file("/path/to/private.key")}"
  bastion_user        = "Bastion.User"
  bastion_host        = "${data.aws_instance.bastion.public_ip}"
  bastion_private_key = "${file("path/to/bastion/private.key")}"
  bastion_user_cert   = "${file("path/to/bastion/user-cert.pub")}"
}

If there are no objections i am ready to write pull request for this =)

Thanks,
Vasil Averyanau

[sherodtaylor]

@apparentlymart #18017 is ready.