1- 2.4.9: * fix a memory leak when acquiring creds
2	 * change the default for subsequent_prompt to be false when the
3	   module is called to change passwords (#1063933)
4- 2.4.8: * handle when the [libdefaults] default_ccache_name setting is not set
5- 2.4.7: * try to read the [libdefaults] default_ccache_name setting, and
6	   handle the %{uid}, %{euid}, %{userid}, and %{username} substitutions
7	 * stop trying to fix ownership on keyring ccaches, since we stopped
8	   having to worry about it around 2.4.0
9- 2.4.6: * fix handling of ccaches for users who are mapped to principal
10	   names in a realm other than the configured default realm (#999604)
11- 2.4.5: * handle ccname templates that don't include a template suffix
12	   by accepting the location at create-time if the permissions
13	   look right, and not deleting the creds at cleanup-time
14	 * fix some memory leaks
15- 2.4.4: * compilation fixes
16- 2.4.3: * translation updates
17- 2.4.2: * handle different function signatures for krb5_trace_callback
18	 * avoid overriding the primary when updating DIR: caches
19- 2.4.1: * handle creation of /run/user/XXX for FILE: and DIR: caches
20- 2.4.0: * drop configuration settings that duplicated library settings
21	 * drop the existing_ticket option
22	 * drop krb4 support
23	 * add support for preserving configuration information in ccaches
24	 * add support for creating and cleaning up DIR: ccaches
25	 * finish cleaning up KEYRING: ccaches
26	 * add experimental "armor" and "armor_strategy" options
27- 2.3.14:* also drop privileges when reinitializing or refreshing credentials,
28           for the sake of login (#822493)
29- 2.3.13:* don't bother creating a v5 ccache in "external" mode
30	 * add a "trace" option to enable libkrb5 tracing, if available
31	 * avoid trying to get password-change creds twice
32	 * use an in-memory ccache when obtaining tokens using v5 creds
33	 * turn off creds==session in "sshd"
34- 2.3.12:* add a "validate_user_user" option to control trying to perform
35	   user-to-user authentication to validate TGTs when a keytab is not
36	   available
37	 * add an "ignore_k5login" option to control whether or not the module
38	   will use the krb5_kuserok() function to perform additional
39	   authorization checks
40	 * turn on validation by default - verify_ap_req_nofail controls how we
41	   treat errors reading keytab files now
42	 * add an "always_allow_localname" option when we can use
43	   krb5_aname_to_localname() to second-guess the krb5_kuserok() check
44	 * prefer krb5_change_password() to krb5_set_password()
45- 2.3.11:* create credentials before trying to look up the location of the
46	   user's home directory via krb5_kuserok()
47- 2.3.10:* fine-tune the logic for selecting which key we use for validating
48	   credentials
49- 2.3.9: * add a "multiple_ccaches" option to allow forcing the previous
50	   behavior of not deleting an old ccache whenever we create a new
51	   one, but saving them until the call that caused us to create
52	   them is reversed
53- 2.3.8: * add a "chpw_prompt" option to allow password changes to happen
54	   during what the calling application thinks is just a password
55	   check, to work around applications that don't handle the case
56	   of an expired password correctly (#509092, based on patch from
57	   Olivier Fourdan)
58- 2.3.7: * when refreshing credentials, store the new creds in the default
59	   ccache if $KRB5CCNAME isn't set (#507984)
60- 2.3.6: * prefer a "host" key, if one is found, when validating TGTs
61	   (#450776)
62- 2.3.5: * make prompting behavior for non-existent accounts and users who
63	   just press enter match up with those who aren't/don't (#502602,
64	   CVE-2009-1384)
65- 2.3.4: * don't request password-changing credentials using the same options
66	   we use for ticket-granting tickets
67- 2.3.3: * close a couple of open pipes to defunct processes, fix a couple
68	   of debug messages
69- 2.3.2: * fix ccache permissions bypass when the "existing_ticket" option is
70	   used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1)
71- 2.3.1: * make afs5log's -n option actually work the "null_afs" option
72	 * translations for messages!
73- 2.3.0: * added the ability to set up tokens in the rxk5 format
74	 * added the "token_strategy" option to control which methods we'll
75	   try to use for setting tokens
76	 * merge "null_afs" functionality from Jan Iven
77- 2.2.23: * when we're changing passwords, force at least one attempt to
78	    authenticate using the KDC, even in the pathological case where
79	    there's no previously- entered password and we were told not to ask
80	    for one (#400611)
81- 2.2.22: * moved .k5login checks to a subprocess to avoid screwing with the
82	    parent process's tokens and PAG (fallout from #371761)
83	  * all options which took true/false before ("debug", "tokens", and
84	    so on) can now take service names
85- 2.2.21: * fix permissions problems on keyring ccaches, so that users can write
86	    to them after we've set them up, and we can still do the cleanup
87	  * fix permission problems accessing .k5login files in home directories
88	    which live in AFS (#371761)
89- 2.2.20: * fixes for credential refreshing
90	  * avoid running afoul of SELinux policy when attempting to get tokens
91- 2.2.19: * the "keytab" option can now be used to specify a custom location
92	    for a given service from within krb5.conf
93	  * log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH
94	    if LOG_AUTHPRIV is not defined) instead of the application's default
95	    or LOG_USER
96	  * added the "pkinit_identity" option to provide a way to specify
97	    where the user's public-key credentials are, and "pkinit_flags" to
98	    specify arbitrary flags for libkrb5 (Heimdal only)
99	  * added the "preauth_options" option to provide a way to specify
100	    arbitrary preauthentication options to libkrb5 (MIT only)
101	  * added the "ccname_template" option to provide a way to specify
102	    where the user's credentials should be stored, so that KEYRING:
103	    credential caches can be deployed at will.
104- 2.2.18: * fix permissions-related problems creating v4 ticket files
105- 2.2.17: * corrected a typo in the pam_krb5(8) man page
106	  * clarified that the "tokens" flag should only be needed for
107	    applications which are not using PAM correctly
108	  * clarified COPYING and .spec file to better reflect licensing as
109	    indicated in the source files
110- 2.2.16: * don't bother using a helper for creating v4 ticket files when we're
111	    just getting tokens
112	  * clean up the debug message which we emit when we do v5->v4
113	    principal name conversion
114	  * compilation fixes
115- 2.2.15: * let default "external" and "use_shmem" settings be specified at
116	    compile-time
117	  * correctly return a "unknown user" error when attempting to change
118	    a password for a user who has no corresponding principal (#235020)
119	  * don't bother using a helper for creating ccache files, which we're
120	    just going to delete, when we need to get tokens
121- 2.2.14: * handle "client revoked" errors
122- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a
123	    time to work around apps which open a session, set the environment,
124	    and initialize creds (when we previously created a ccache, removing
125	    the one which was named in the environment) (#204939)
126- 2.2.12: * add a "pwhelp" option.  Display the KDC error to users.
127- 2.2.11: * return success from our account management callback in cases where
128	    our authentication callback simply failed to authenticate (#207410)
129	  * fix setting of items for password-changing modules which get called
130	    after us (Michael Calmer)
131- 2.2.10: * add the "no_subsequent_prompt" option, to force the module to
132	    always answer a libkrb5 prompt with the PAM_AUTHTOK value
133	  * add the "debug_sensitive" option, which actually logs passwords
134	  * add the --with-os-distribution option to configure to override
135	    "Red Hat Linux" in the man pages
136	  * if the server returns an error message during password-changing,
137	    let the user see it
138- 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in
139	   an unsafe situation and told to refresh credentials
140	 * fix a race condition in how the ccache creation helper is invoked
141	 * properly handle "external" cases where the forwarded creds belong
142	   to someone other than the principal name we guessed for the user
143- 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials
144           has been completely disabled
145- 2.2.7: * do 524 conversion for the "external" cases, too
146- 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get
147           v4 credentials (along with "krb4_convert_524", which was already
148           there)
149         * don't try to convert v5 creds to v4 creds for AFS when
150           "krb4_convert_524" is disabled, either
151- 2.2.5: * fix a couple of cases where a debug message would be logged even if
152           debugging wasn't enabled
153- 2.2.4: * fix reporting of the reasons for password change failures
154- 2.2.3: * fix a compilation error
155- 2.2.2: * when validating user credentials, don't leak the keytab file
156           descriptor
157- 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall
158           isn't available
159- 2.2: * refreshing of preexisting credentials works, so unlocking your
160         screensaver should fetch new credentials and tokens.  Be careful that
161         you don't invoke the authentication function with the "tokens" flag,
162         which creates a new PAG, if you want this to be useful.
163         As of this writing, at least xscreensaver calls pam_setcred() with the
164         proper flag to signal that credentials should be refreshed.  Other
165         screen saver applications may not.
166       * new "external" option for use with OpenSSH's GSSAPI authentication
167         with credential delegation and AFS, *should* work with anything which
168         uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in
169         the PAM environment
170       * new "use_shmem" option for use with OpenSSH's privilege separation mode
171       * credential and renewal lifetimes can now be given either as krb5-style
172         times or as numbers of seconds
173       * new "ignore_unknown_principal"/"ignore_unknown_spn" option
174       * new "krb4_convert_524" option
175       * configure can now set the default location of the system keytab
176       * configure disables AFS support except on Linux and Solaris (for now),
177         but can be overridden either way (needs testing on Solaris)
178       * can now specify a principal name for AFS cells, to save guesswork
179       * should now correctly work with SAM authentication, needs testing
180       * "tokens" now behaves like "external" and "use_shmem", in that it
181         can be specified in the configuration as a list of service names
182- 2.1: switch to a minikafs implementation to flush out lurking ABI differences
183  between the krb4 interface the kafs library used and the one which libkrb4
184  provides.  Also, we support "2b" tokens now.
185- 2.0: more or less complete rewrite.
186  Jettison our own krb5.conf parsing code in favor of the supported API.
187  This means that configuration settings which look like this:
188  [pam]
189    forwardable = yes
190  are no longer recognized, and must be changed to:
191  [appdefaults]
192    pam = {
193      forwardable = yes
194    }
195