setuid programs will automatically ignore environment
variables that normally affect krb5 API functions, even if the
caller does not use krb5_init_secure_context().
breaks ksu when run in an ssh session (either interactively, or, e.g.,
by ansible). ssh creates separate ccaches for each session and sets
KRB5CCNAME accordingly; ignoring the process environment causes ksu to
look at the nonexistent default ccache and conclude that the user
needs to enter a password to authenticate.