- log to AUTHPRIV facility by default
    - add a "ccname_template" option, which can be set to "KEYRING:..." to
        switch to using the kernel keyring
    - add a "preauth_options" option for setting generic preauth parameters
    - allow "keytab" locations to be specified on a per-service basis, so that
        unprivileged apps which do password-checking and which have their own
        keytabs can use their own keys to validate the KDC's response
    - move temporary ccaches which aren't used for serializing from FILE: type
        into MEMORY: type
    - don't barf during credential refresh when $KRB5CCNAME isn't set
    - set perms on the user's KEYRING: ccache so that the user can write to it
    - suppress an error message if a KEYRING: ccache we're about to destroy has
        already been revoked
    - make sure that we have tokens when checking the user's .k5login (#371761)