update backport for selecting which key to use for validation so that it
prefers services with the local host name as the instance, from HEAD (more
of #450776)
[2.2.14-14]
backport the ‘multiple_ccaches’ option from HEAD, requiring that it
be enabled to not immediately remove an old ccache when asked to create
a new one (#463417)
[2.2.14-13]
add patch to add the ‘chpw_prompt’ option, to allow the older behavior
of attempting a password-change during authentication if libkrb5 detects
an expired password, based on patch from Olivier Fourdan (#509092)
[2.2.14-12]
dont vary the password prompt depending on whether or not the user exists
or is known to the KDC (CVE-2009-1384, #505265)
prefer using the ‘host’ service when verifying that a TGT isnt forged,
from HEAD (#450776)
[2.2.14-11]
dont enforce minimum_uid when no_user_check is also used, from
HEAD (#490404)
dont try to get password-changing creds with all of the flags set
that we would request for a TGT (#489015)