Enable Kerberos authentication for SSH interaction

Kerberos authentication is configured by setting the server-side
kerberos keytab, which identifies the kerberos principal used for
SSH connections (typically host/canonical.host.name).

For servers that have been appropriately configured, this
file typically exists at /etc/krb5.keytab.

Kerberos authentication can be enabled by adding a line to the
gerrit.config under the ssh section as follows:

[ssh]
        kerberosKeytab = /etc/krb5.keytab

If the file is readable and contains a keytab, kerberos authentication
is enabled. Accounts must already exist in Gerrit and be active for
authentication to succeed.

If the canonical host is not the name used by the service, the name of
the principal can be defined appropriately:

[ssh]
        kerberosKeytab = /etc/krb5.keytab
        kerberosPrincipal = host/other.host.name

Change-Id: I03744b6391962bdabf647689ec3a2b8d1ab37078

gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshModule.java

@@ -42,6 +42,7 @@ import com.google.inject.servlet.RequestScoped;
 import org.apache.sshd.common.KeyPairProvider;
 import org.apache.sshd.server.CommandFactory;
 import org.apache.sshd.server.PublickeyAuthenticator;
+import org.apache.sshd.server.auth.gss.GSSAuthenticator;
 import org.eclipse.jgit.lib.Config;
 
 import java.net.SocketAddress;
@@ -84,6 +85,7 @@ public class SshModule extends FactoryModule {
         .toProvider(StreamCommandExecutorProvider.class).in(SINGLETON);
     bind(QueueProvider.class).to(CommandExecutorQueueProvider.class).in(SINGLETON);
 
+    bind(GSSAuthenticator.class).to(GerritGSSAuthenticator.class);
     bind(PublickeyAuthenticator.class).to(DatabasePubKeyAuth.class);
     bind(KeyPairProvider.class).toProvider(HostKeyProvider.class).in(SINGLETON);