diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index ec311bfed8..d4f1ec5809 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -21,6 +21,7 @@ use strict;
 use warnings FATAL => 'all';
 use PostgreSQL::Test::Utils;
 use PostgreSQL::Test::Cluster;
+use PostgreSQL::Test::Kerberos;
 use Test::More;
 use Time::HiRes qw(usleep);
 
@@ -34,182 +35,27 @@ elsif (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\bkerberos\b/)
 	  'Potentially unsafe test GSSAPI/Kerberos not enabled in PG_TEST_EXTRA';
 }
 
-my ($krb5_bin_dir, $krb5_sbin_dir);
-
-if ($^O eq 'darwin' && -d "/opt/homebrew")
-{
-	# typical paths for Homebrew on ARM
-	$krb5_bin_dir = '/opt/homebrew/opt/krb5/bin';
-	$krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin';
-}
-elsif ($^O eq 'darwin')
-{
-	# typical paths for Homebrew on Intel
-	$krb5_bin_dir = '/usr/local/opt/krb5/bin';
-	$krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
-}
-elsif ($^O eq 'freebsd')
-{
-	$krb5_bin_dir = '/usr/local/bin';
-	$krb5_sbin_dir = '/usr/local/sbin';
-}
-elsif ($^O eq 'linux')
-{
-	$krb5_sbin_dir = '/usr/sbin';
-}
-
-my $krb5_config = 'krb5-config';
-my $kinit = 'kinit';
-my $klist = 'klist';
-my $kdb5_util = 'kdb5_util';
-my $kadmin_local = 'kadmin.local';
-my $krb5kdc = 'krb5kdc';
-
-if ($krb5_bin_dir && -d $krb5_bin_dir)
-{
-	$krb5_config = $krb5_bin_dir . '/' . $krb5_config;
-	$kinit = $krb5_bin_dir . '/' . $kinit;
-	$klist = $krb5_bin_dir . '/' . $klist;
-}
-if ($krb5_sbin_dir && -d $krb5_sbin_dir)
-{
-	$kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
-	$kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
-	$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
-}
-
-my $host = 'auth-test-localhost.postgresql.example.com';
-my $hostaddr = '127.0.0.1';
-my $realm = 'EXAMPLE.COM';
-
-my $krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
-my $kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
-my $krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
-my $krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
-my $kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
-my $kdc_port = PostgreSQL::Test::Cluster::get_free_port();
-my $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
-my $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
-my $keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
-
 my $pgpass = "${PostgreSQL::Test::Utils::tmp_check}/.pgpass";
 
 my $dbname = 'postgres';
 my $username = 'test1';
 my $application = '001_auth.pl';
 
-note "setting up Kerberos";
-
-my ($stdout, $krb5_version);
-run_log [ $krb5_config, '--version' ], '>', \$stdout
-  or BAIL_OUT("could not execute krb5-config");
-BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
-$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
-  or BAIL_OUT("could not get Kerberos version");
-$krb5_version = $1;
-
 # Construct a pgpass file to make sure we don't use it
 append_to_file($pgpass, '*:*:*:*:abc123');
 
 chmod 0600, $pgpass or die $!;
 
-# Build the krb5.conf to use.
-#
-# Explicitly specify the default (test) realm and the KDC for
-# that realm to avoid the Kerberos library trying to look up
-# that information in DNS, and also because we're using a
-# non-standard KDC port.
-#
-# Also explicitly disable DNS lookups since this isn't really
-# our domain and we shouldn't be causing random DNS requests
-# to be sent out (not to mention that broken DNS environments
-# can cause the tests to take an extra long time and timeout).
-#
-# Reverse DNS is explicitly disabled to avoid any issue with a
-# captive portal or other cases where the reverse DNS succeeds
-# and the Kerberos library uses that as the canonical name of
-# the host and then tries to acquire a cross-realm ticket.
-append_to_file(
-	$krb5_conf,
-	qq![logging]
-default = FILE:$krb5_log
-kdc = FILE:$kdc_log
+note "setting up Kerberos";
 
-[libdefaults]
-dns_lookup_realm = false
-dns_lookup_kdc = false
-default_realm = $realm
-forwardable = false
-rdns = false
+my $host = 'auth-test-localhost.postgresql.example.com';
+my $hostaddr = '127.0.0.1';
+my $realm = 'EXAMPLE.COM';
 
-[realms]
-$realm = {
-    kdc = $hostaddr:$kdc_port
-}
-!);
-
-append_to_file(
-	$kdc_conf,
-	qq![kdcdefaults]
-!);
-
-# For new-enough versions of krb5, use the _listen settings rather
-# than the _ports settings so that we can bind to localhost only.
-if ($krb5_version >= 1.15)
-{
-	append_to_file(
-		$kdc_conf,
-		qq!kdc_listen = $hostaddr:$kdc_port
-kdc_tcp_listen = $hostaddr:$kdc_port
-!);
-}
-else
-{
-	append_to_file(
-		$kdc_conf,
-		qq!kdc_ports = $kdc_port
-kdc_tcp_ports = $kdc_port
-!);
-}
-append_to_file(
-	$kdc_conf,
-	qq!
-[realms]
-$realm = {
-    database_name = $kdc_datadir/principal
-    admin_keytab = FILE:$kdc_datadir/kadm5.keytab
-    acl_file = $kdc_datadir/kadm5.acl
-    key_stash_file = $kdc_datadir/_k5.$realm
-}!);
-
-mkdir $kdc_datadir or die;
-
-# Ensure that we use test's config and cache files, not global ones.
-$ENV{'KRB5_CONFIG'} = $krb5_conf;
-$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
-$ENV{'KRB5CCNAME'} = $krb5_cache;
-
-my $service_principal = "$ENV{with_krb_srvnam}/$host";
-
-system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
+my $krb = PostgreSQL::Test::Kerberos->new($host, $hostaddr, $realm);
 
 my $test1_password = 'secret1';
-system_or_bail $kadmin_local, '-q', "addprinc -pw $test1_password test1";
-
-system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
-system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
-
-system_or_bail $krb5kdc, '-P', $kdc_pidfile;
-
-END
-{
-	# take care not to change the script's exit value
-	my $exit_code = $?;
-
-	kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile;
-
-	$? = $exit_code;
-}
+$krb->create_principal('test1', $test1_password);
 
 note "setting up PostgreSQL instance";
 
@@ -218,7 +64,7 @@ $node->init;
 $node->append_conf(
 	'postgresql.conf', qq{
 listen_addresses = '$hostaddr'
-krb_server_keyfile = '$keytab'
+krb_server_keyfile = '$krb->{keytab}'
 log_connections = on
 lc_messages = 'C'
 });
@@ -332,8 +178,7 @@ $node->restart;
 
 test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket');
 
-run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
-run_log [ $klist, '-f' ] or BAIL_OUT($?);
+$krb->create_ticket('test1', $test1_password);
 
 test_access(
 	$node,
@@ -475,10 +320,8 @@ $node->append_conf(
 	hostgssenc all all $hostaddr/32 gss map=mymap
 });
 
-string_replace_file($krb5_conf, "forwardable = false", "forwardable = true");
-
-run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
-run_log [ $klist, '-f' ] or BAIL_OUT($?);
+# Re-create the ticket, with the forwardable flag set
+$krb->create_ticket('test1', $test1_password, forwardable => 1);
 
 test_access(
 	$node,
diff --git a/src/test/perl/PostgreSQL/Test/Kerberos.pm b/src/test/perl/PostgreSQL/Test/Kerberos.pm
new file mode 100644
index 0000000000..f7810da9c1
--- /dev/null
+++ b/src/test/perl/PostgreSQL/Test/Kerberos.pm
@@ -0,0 +1,234 @@
+
+# Copyright (c) 2021-2024, PostgreSQL Global Development Group
+
+# Sets up a stand-alone KDC for testing PostgreSQL GSSAPI / Kerberos
+# functionality.
+
+package PostgreSQL::Test::Kerberos;
+
+use strict;
+use warnings FATAL => 'all';
+use PostgreSQL::Test::Utils;
+
+our ($krb5_bin_dir, $krb5_sbin_dir, $krb5_config, $kinit, $klist,
+	 $kdb5_util, $kadmin_local, $krb5kdc,
+	 $krb5_conf, $kdc_conf, $krb5_cache, $krb5_log, $kdc_log,
+	 $kdc_port, $kdc_datadir, $kdc_pidfile, $keytab);
+
+INIT
+{
+	if ($^O eq 'darwin' && -d "/opt/homebrew")
+	{
+		# typical paths for Homebrew on ARM
+		$krb5_bin_dir = '/opt/homebrew/opt/krb5/bin';
+		$krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin';
+	}
+	elsif ($^O eq 'darwin')
+	{
+		# typical paths for Homebrew on Intel
+		$krb5_bin_dir = '/usr/local/opt/krb5/bin';
+		$krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
+	}
+	elsif ($^O eq 'freebsd')
+	{
+		$krb5_bin_dir = '/usr/local/bin';
+		$krb5_sbin_dir = '/usr/local/sbin';
+	}
+	elsif ($^O eq 'linux')
+	{
+		$krb5_sbin_dir = '/usr/sbin';
+	}
+
+	$krb5_config = 'krb5-config';
+	$kinit = 'kinit';
+	$klist = 'klist';
+	$kdb5_util = 'kdb5_util';
+	$kadmin_local = 'kadmin.local';
+	$krb5kdc = 'krb5kdc';
+
+	if ($krb5_bin_dir && -d $krb5_bin_dir)
+	{
+		$krb5_config = $krb5_bin_dir . '/' . $krb5_config;
+		$kinit = $krb5_bin_dir . '/' . $kinit;
+		$klist = $krb5_bin_dir . '/' . $klist;
+	}
+	if ($krb5_sbin_dir && -d $krb5_sbin_dir)
+	{
+		$kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
+		$kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
+		$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
+	}
+
+	$krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
+	$kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
+	$krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
+	$krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
+	$kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
+	$kdc_port = PostgreSQL::Test::Cluster::get_free_port();
+	$kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
+	$kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
+	$keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
+}
+
+=pod
+
+=item PostgreSQL::Test::Kerberos->new(host, hostaddr, realm, %params)
+
+Sets up a new Kerberos realm and KDC.  This function assigns a free
+port for the KDC.  The KDC will be shut down automatically when the
+test script exits.
+
+=over
+
+=item host => 'auth-test-localhost.postgresql.example.com'
+
+Hostname to use in the service principal.
+
+=item hostaddr => '127.0.0.1'
+
+Network interface the KDC will listen on.
+
+=item realm => 'EXAMPLE.COM'
+
+Name of the Kerberos realm.
+
+=back
+
+=cut
+
+sub new
+{
+	my $class = shift;
+	my ($host, $hostaddr, $realm) = @_;
+
+	my ($stdout, $krb5_version);
+	run_log [ $krb5_config, '--version' ], '>', \$stdout
+	  or BAIL_OUT("could not execute krb5-config");
+	BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
+	$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
+	  or BAIL_OUT("could not get Kerberos version");
+	$krb5_version = $1;
+
+	# Build the krb5.conf to use.
+	#
+	# Explicitly specify the default (test) realm and the KDC for
+	# that realm to avoid the Kerberos library trying to look up
+	# that information in DNS, and also because we're using a
+	# non-standard KDC port.
+	#
+	# Also explicitly disable DNS lookups since this isn't really
+	# our domain and we shouldn't be causing random DNS requests
+	# to be sent out (not to mention that broken DNS environments
+	# can cause the tests to take an extra long time and timeout).
+	#
+	# Reverse DNS is explicitly disabled to avoid any issue with a
+	# captive portal or other cases where the reverse DNS succeeds
+	# and the Kerberos library uses that as the canonical name of
+	# the host and then tries to acquire a cross-realm ticket.
+	append_to_file(
+		$krb5_conf,
+		qq![logging]
+default = FILE:$krb5_log
+kdc = FILE:$kdc_log
+
+[libdefaults]
+dns_lookup_realm = false
+dns_lookup_kdc = false
+default_realm = $realm
+forwardable = false
+rdns = false
+
+[realms]
+$realm = {
+    kdc = $hostaddr:$kdc_port
+}
+!);
+
+	append_to_file(
+		$kdc_conf,
+		qq![kdcdefaults]
+!);
+
+	# For new-enough versions of krb5, use the _listen settings rather
+	# than the _ports settings so that we can bind to localhost only.
+	if ($krb5_version >= 1.15)
+	{
+		append_to_file(
+			$kdc_conf,
+			qq!kdc_listen = $hostaddr:$kdc_port
+kdc_tcp_listen = $hostaddr:$kdc_port
+!);
+	}
+	else
+	{
+		append_to_file(
+			$kdc_conf,
+			qq!kdc_ports = $kdc_port
+kdc_tcp_ports = $kdc_port
+!);
+	}
+	append_to_file(
+		$kdc_conf,
+		qq!
+[realms]
+$realm = {
+    database_name = $kdc_datadir/principal
+    admin_keytab = FILE:$kdc_datadir/kadm5.keytab
+    acl_file = $kdc_datadir/kadm5.acl
+    key_stash_file = $kdc_datadir/_k5.$realm
+}!);
+
+	mkdir $kdc_datadir or BAIL_OUT("could not create directory \"$kdc_datadir\"");
+
+	# Ensure that we use test's config and cache files, not global ones.
+	$ENV{'KRB5_CONFIG'} = $krb5_conf;
+	$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
+	$ENV{'KRB5CCNAME'} = $krb5_cache;
+
+	my $service_principal = "$ENV{with_krb_srvnam}/$host";
+
+	system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
+
+	system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
+	system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
+
+	system_or_bail $krb5kdc, '-P', $kdc_pidfile;
+
+	my $self = {};
+	$self->{keytab} = $keytab;
+
+	bless $self, $class;
+
+	return $self;
+}
+
+sub create_principal
+{
+	my ($self, $principal, $password) = @_;
+
+	system_or_bail $kadmin_local, '-q', "addprinc -pw $password $principal";
+}
+
+sub create_ticket
+{
+	my ($self, $principal, $password, %params) = @_;
+
+	my @cmd = ($kinit, $principal);
+
+	push @cmd, '-f' if ($params{forwardable});
+
+	run_log [@cmd], \$password or BAIL_OUT($?);
+	run_log [ $klist, '-f' ] or BAIL_OUT($?);
+}
+
+END
+{
+	# take care not to change the script's exit value
+	my $exit_code = $?;
+
+	kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile;
+
+	$? = $exit_code;
+}
+
+1;