For reference:

* Heimdal appears to match our new behavior for gss_acquire_cred with no 
specified mechs (that is, it gets creds for all mechanisms).

* Heimdal supports the "wrong" krb5 mech OID (the one used by Microsoft) 
inside its SPNEGO implementation.  It doesn't return that OID in 
gss_indicate_mechs and it doesn't let applications use that OID.

* Heimdal doesn't appear to have any support for the "old" krb5 mech OID.

Adopting the above behavior would reduce the number of krb5 cred 
acquisition operations for a default gss_acquire_cred from 8 to 4, and 
the number of ssh userauth negotiation attempts from 4 to 2.