fix for http://grid.ncsa.uiuc.edu/ssh/implicitlogin.adv vulnerability:
- don't return success from userauth if authctxt->valid == 0
as that flag is set after important checks for disabled accounts
- proceed with userauth_gssapi() even if authctxt->valid == 0,
because we might set it based on GSSAPI context later, and we
check it before returning success
- set authctxt->valid = 1 only if getpwnamallow() checks succeed
other:
- pass in authctxt to start_pam(), as the signature changed