rpcserver: validate Kerberos principal name before running kinit
    
    Do minimal validation of the Kerberos principal name when passing it to
    kinit command line tool. Also pass it as the final argument to prevent
    option injection.
    
    Accepted Kerberos principals are:
     - user names, using the following regexp
       (username with optional @realm, no spaces or slashes in the name):
       "(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
    
     - service names (with slash in the name but no spaces). Validation of
       the hostname is done. There is no validation of the service name.
    
    The regular expression above also covers cases where a principal name
    starts with '-'. This prevents option injection as well.
    
    This fixes CVE-2024-1481
    
    Fixes: https://pagure.io/freeipa/issue/9541
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>