- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a
	    time to work around apps which open a session, set the environment,
	    and initialize creds (when we previously created a ccache, removing
	    the one which was named in the environment)
- 2.2.12: * add a "pwhelp" option.  Display the KDC error to users.
- 2.2.11: * return success from our account management callback in cases where
	    our authentication callback simply failed to authenticate (#207410)
	  * fix setting of items for password-changing modules which get called
	    after us (Michael Calmer)
- 2.2.10: * add the "no_subsequent_prompt" option, to force the module to
	    always answer a libkrb5 prompt with the PAM_AUTHTOK value
	  * add the "debug_sensitive" option, which actually logs passwords
	  * add the --with-os-distribution option to configure to override
	    "Red Hat Linux" in the man pages
	  * if the server returns an error message during password-changing,
	    let the user see it
- 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in
	   an unsafe situation and told to refresh credentials
	 * fix a race condition in how the ccache creation helper is invoked
	 * properly handle "external" cases where the forwarded creds belong
	   to someone other than the principal name we guessed for the user
- 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials
           has been completely disabled
- 2.2.7: * do 524 conversion for the "external" cases, too
- 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get
           v4 credentials (along with "krb4_convert_524", which was already
           there)
         * don't try to convert v5 creds to v4 creds for AFS when
           "krb4_convert_524" is disabled, either
- 2.2.5: * fix a couple of cases where a debug message would be logged even if
           debugging wasn't enabled
- 2.2.4: * fix reporting of the reasons for password change failures
- 2.2.3: * fix a compilation error
- 2.2.2: * when validating user credentials, don't leak the keytab file
           descriptor
- 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall
           isn't available
- 2.2: * refreshing of preexisting credentials works, so unlocking your
         screensaver should fetch new credentials and tokens.  Be careful that
         you don't invoke the authentication function with the "tokens" flag,
         which creates a new PAG, if you want this to be useful.
         As of this writing, at least xscreensaver calls pam_setcred() with the
         proper flag to signal that credentials should be refreshed.  Other
         screen saver applications may not.
       * new "external" option for use with OpenSSH's GSSAPI authentication
         with credential delegation and AFS, *should* work with anything which
         uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in
         the PAM environment
       * new "use_shmem" option for use with OpenSSH's privilege separation mode
       * credential and renewal lifetimes can now be given either as krb5-style
         times or as numbers of seconds
       * new "ignore_unknown_principal"/"ignore_unknown_spn" option
       * new "krb4_convert_524" option
       * configure can now set the default location of the system keytab
       * configure disables AFS support except on Linux and Solaris (for now),
         but can be overridden either way (needs testing on Solaris)
       * can now specify a principal name for AFS cells, to save guesswork
       * should now correctly work with SAM authentication, needs testing
       * "tokens" now behaves like "external" and "use_shmem", in that it
         can be specified in the configuration as a list of service names
- 2.1: switch to a minikafs implementation to flush out lurking ABI differences
  between the krb4 interface the kafs library used and the one which libkrb4
  provides.  Also, we support "2b" tokens now.
- 2.0: more or less complete rewrite.
  Jettison our own krb5.conf parsing code in favor of the supported API.
  This means that configuration settings which look like this:
  [pam]
    forwardable = yes
  are no longer recognized, and must be changed to:
  [appdefaults]
    pam = {
      forwardable = yes
    }