pam_krb5: Restore allow_kdc_spoof option

Not only does the new pam_krb5 module not have the same allow_kdc_spoof
option that the old one had, its behavior in this matter defaults to
insecure. Reimplement allow_kdc_spoof and switch the default back.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D53884