Add a GSSAPI authentication test

[zacikpa]

This PR follows a recent mailing list discussion about GSSAPI maintenance, adding a test that covers simple GSSAPI authentication workflows with an MIT Kerberos KDC. The test is inspired by similar tests in libssh, making use of LD_PRELOAD and nss_wrapper for emulating /etc/hosts and gethostname(), so it can be run under non-root users.

[cryptomilk]

Looks good. Optional: If you add socket_wrapper you could also run on default ports.

[zacikpa]

Updated by adding a missing removal of KDC pidfile during cleanup which would occasionally make the test fail due to a race.

@cryptomilk Thanks for having a look. I chose not to use socket_wrapper since none of the other regression tests use standard (e.g., SSH) ports by default anyway.

[cryptomilk]

I don't know how much of a real world you want to fake. Normally Kerberos uses SRV records to lookup a KDC. If you want to use this libkrb5 uses libresolv for SRV record lookups. Using https://cwrap.org/resolv_wrapper.html can provide this.

[daztucker]

Thanks, this looks great! I'm going to drop the addition to LTESTS since that's something that we keep in sync with upstream, and for now enable this by setting EXTRA_LTESTS in the test driver in the appropriate configs.

[daztucker]

Running: https://github.com/openssh/openssh-portable/actions/runs/21764043669/job/62794852013

Thanks!