Add public key pinning in authorized-keys command

[reynir]

This adds pubkey pinning so we don't need to trust the whole slew of CAs that come by default.

You probably want to:

1. Verify the pubkey is stable and doesn't change on renewal,
2. Structure this differently so the pubkey hash is a variable living somewhere else.