- log to AUTHPRIV facility by default
- add a "ccname_template" option, which can be set to "KEYRING:..." to
switch to using the kernel keyring
- add a "preauth_options" option for setting generic preauth parameters
- allow "keytab" locations to be specified on a per-service basis, so that
unprivileged apps which do password-checking and which have their own
keytabs can use their own keys to validate the KDC's response
- move temporary ccaches which aren't used for serializing from FILE: type
into MEMORY: type
- don't barf during credential refresh when $KRB5CCNAME isn't set
- set perms on the user's KEYRING: ccache so that the user can write to it
- suppress an error message if a KEYRING: ccache we're about to destroy has
already been revoked
- make sure that we have tokens when checking the user's .k5login (#371761)