Fix sandbox for conditional gssapi authentication (#1580017)

Upstream:
https://bugzilla.mindrot.org/attachment.cgi?id=3168&action=diff

openssh-7.8p1-gsskex.patch

@@ -2617,15 +2617,16 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 diff -up openssh/sshd.c.gsskex openssh/sshd.c
 --- openssh/sshd.c.gsskex	2018-08-22 11:47:33.299216360 +0200
 +++ openssh/sshd.c	2018-08-22 13:34:28.455975954 +0200
-@@ -537,7 +537,7 @@ privsep_preauth_child(void)
+@@ -537,8 +537,7 @@ privsep_preauth_child(void)
  
  #ifdef GSSAPI
  	/* Cache supported mechanism OIDs for later use */
 -	if (options.gss_authentication)
-+	if (options.gss_authentication || options.gss_keyex)
- 		ssh_gssapi_prepare_supported_oids();
+-		ssh_gssapi_prepare_supported_oids();
++	ssh_gssapi_prepare_supported_oids();
  #endif
  
+ 	reseed_prngs();
 @@ -887,8 +887,9 @@ notify_hostkeys(struct ssh *ssh)
  	}
  	debug3("%s: sent %u hostkeys", __func__, nkeys);