Implement gssapi-with-mic user authentication with Kerberos

[scott-xu]

This PR adds support for gssapi-with-mic user authentication with Kerberos which is defined at https://datatracker.ietf.org/doc/html/rfc4462.

Close #780
Close #170
Close #114

[scott-xu]

This PR is primarily based on tmds/Tmds.Ssh#188. Credits to @jborean93 and @tmds

🎏 Call for help!
This PR is still at early stage. If someone can help implement ReflectedNegotiateContext or add integration test, that would be great!

[Rob-Hague]

Some high-level questions

1. I am not excited by the prospect of reflection/UnsafeAccessor. Is it just for lower targets? If so, I would prefer to restrict it to targets where it is possible via public api (NET 9+ presumably).

2. It seems like it would be easier to just have:

public class GssApiAuthenticationMethod(NegotiateAuthenticationClientOptions options)
{ }

as the public api?

3. Have you thought about how to test it? Presumably something can be set up via the dockerfile

[scott-xu]

1. I am not excited by the prospect of reflection/UnsafeAccessor. Is it just for lower targets? If so, I would prefer to restrict it to targets where it is possible via public api (NET 9+ presumably).

Reflection is to support .NET Framework.
UnsafeAccessor is to support .NET 8.0

One reason to choose SSH.NET is that it supports lower targets.

2. It seems like it would be easier to just have:

public class GssApiAuthenticationMethod(NegotiateAuthenticationClientOptions options)
{ }

as the public api?

There are too many options than needed if we use NegotiateAuthenticationClientOptions as public API.

3. Have you thought about how to test it? Presumably something can be set up via the dockerfile

That's the "call out for help" item 😄

[Copilot]

Pull Request Overview

This PR implements gssapi-with-mic user authentication with Kerberos as defined in RFC 4462, enabling SSH clients to authenticate using Kerberos tickets.

Key changes:

• Added support for Kerberos authentication through new GssApiAuthenticationMethod class
• Implemented message types for GSS-API authentication exchange (response, token, MIC, error)
• Created KerberosCredential class to configure Kerberos authentication options

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
SshMessageFactory.cs	Registered new GSS-API message types for authentication
Session.cs	Added event handlers for GSS-API response and token messages
RequestMessageGssApi.cs	Implements initial authentication request with supported mechanism OIDs
GssApiTokenMessage.cs	Handles token exchange messages during authentication
GssApiResponseMessage.cs	Processes server's mechanism selection response
GssApiMicMessage.cs	Sends message integrity check for authentication verification
GssApiExchangeCompleteMessage.cs	Signals completion of authentication exchange
GssApiErrorTokenMessage.cs	Handles error tokens from server
GssApiErrorMessage.cs	Processes detailed error information from server
KerberosCredential.cs	Configuration class for Kerberos authentication credentials
GssApiAuthenticationMethod.cs	Main authentication method implementation orchestrating the GSS-API exchange
GssApiAuthenticationMethod.ReflectedNegotiateContext.cs	Placeholder implementation for .NET Framework
GssApiAuthenticationMethod.NegotiateContext.cs	Platform-specific authentication context using NegotiateAuthentication

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}