- 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials
           has been completely disabled
- 2.2.7: * do 524 conversion for the "external" cases, too
- 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get
           v4 credentials (along with "krb4_convert_524", which was already
           there)
         * don't try to convert v5 creds to v4 creds for AFS when
           "krb4_convert_524" is disabled, either
- 2.2.5: * fix a couple of cases where a debug message would be logged even if
           debugging wasn't enabled
- 2.2.4: * fix reporting of the reasons for password change failures
- 2.2.3: * fix a compilation error
- 2.2.2: * when validating user credentials, don't leak the keytab file
           descriptor
- 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall
           isn't available
- 2.2: * refreshing of preexisting credentials works, so unlocking your
         screensaver should fetch new credentials and tokens.  Be careful that
         you don't invoke the authentication function with the "tokens" flag,
         which creates a new PAG, if you want this to be useful.
         As of this writing, at least xscreensaver calls pam_setcred() with the
         proper flag to signal that credentials should be refreshed.  Other
         screen saver applications may not.
       * new "external" option for use with OpenSSH's GSSAPI authentication
         with credential delegation and AFS, *should* work with anything which
         uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in
         the PAM environment
       * new "use_shmem" option for use with OpenSSH's privilege separation mode
       * credential and renewal lifetimes can now be given either as krb5-style
         times or as numbers of seconds
       * new "ignore_unknown_principal"/"ignore_unknown_spn" option
       * new "krb4_convert_524" option
       * configure can now set the default location of the system keytab
       * configure disables AFS support except on Linux and Solaris (for now),
         but can be overridden either way (needs testing on Solaris)
       * can now specify a principal name for AFS cells, to save guesswork
       * should now correctly work with SAM authentication, needs testing
       * "tokens" now behaves like "external" and "use_shmem", in that it
         can be specified in the configuration as a list of service names
- 2.1: switch to a minikafs implementation to flush out lurking ABI differences
  between the krb4 interface the kafs library used and the one which libkrb4
  provides.  Also, we support "2b" tokens now.
- 2.0: more or less complete rewrite.
  Jettison our own krb5.conf parsing code in favor of the supported API.
  This means that configuration settings which look like this:
  [pam]
    forwardable = yes
  are no longer recognized, and must be changed to:
  [appdefaults]
    pam = {
      forwardable = yes
    }
