Support one time key based initial authentication

[ushachar]

I'm looking into deploying weave in multiple on-premise locations, where some of the machines could be eventually compromised/decommissioned.
When working in a potentially high-risk environment, it would be useful to be able to:

1. Prevent an attacker from reusing a password token to join malicious instances into the weave network.
2. Support forcibly detaching a node from the network.

This can be done without creating a 'master' node using an approach like:
first_node:
Only the password hash needs to be saved & propagated by weave.
$ weave launch --master-password abc
$ weave provision --master-password abc
One time key, valid for 5 minutes: xyz

second_node:
There's a small time span where conflicts could arise if a very fast attacker attempts to join a second instance using key X before knowledge about the first instance using key X propagates throughout the network.
$ weave launch --key xyz initial_node

third_node
$ weave launch --key xyz
Failed to join network, peer already exists

And on any node attached to the network, one could run:
$ weave eject --key xyz --master-password abc

This is somewhat related to issues #39 (since a selectively distributed password update could be used to eject a node) and #206

[bboreham]

This is an interesting requirement. I wonder if it can be integrated with something like Vault to handle the tokens.