- Fix the usage of getaddrinfo, which caused a fatal error on python3.9
  on Mac.
- Make --showbearerurl work properly in combination with --nobearertoken.
- Change the httokendecode error message for a missing token file to
  stderr instead of stdin.

- Fix httokendecode -H functionality to only attempt to convert a parsed word
  if it is entirely numeric, not if it just contains one digit.  At the same
  time, rewrite the functionality in native bash instead of using grep and sed.
- Add htdestroytoken command.
- Add a symlink htdecodetoken pointing to httokendecode.

- Revert to prior method for allowing --vaultalias as an alternate name
  for matching the host cert.  It doesn't support wildcard certs, but it
  permits allowing either the original host name or the alias and avoids
  needing separate alias options for kerberos and https.

- Update htgettoken to allow utf-8 characters in messages.

- Update httokendecode to also validate the token if scitokens-verify is
  in $PATH.

- Write out vault tokens after kerberos or ssh authentication only
  if they can successfully be used to read a bearer token
- Change the oidc authentication prompt to say to "copy/paste into any web
  browser" instead of "open URL manually"
- Update python dependencies to current versions in pip

- Add support for ssh-agent authentication, including the --sshpath, 
  --nossh and --registerssh options.  Add the paramiko package to the
  included library packages.
- Remove "/login" from --kerbpath.

- If kerberos initialization fails with the default KRB5_CONFIG="", try
    again without it.  Observed to be needed at CNAF, although not for
    FNAL, CERN, or LIGO.  Don't do second try if the first error was due
    to an expired ticket, because that sometimes erroneously succeeds on
    second try.

- Try a default cafile of '/etc/pki/tls/cert.pem' if system default is empty.
  This can happen when the SSL_CERT_FILE environment variable is empty.

- Add --kerbprincipal option
- Change the default kerbpath to include issuer and role
- Limit oidc polling to 2 minutes
- Disable oidc authenticatio when running in the background, that is, when
    none of stdin, stdout, or stderr are on a tty
- Document that audience can be a comma or space separated list
- Updated pip-installed dependent packages to latest versions

- Fix working with a kerberos domain that is missing from krb5.conf
- Extract more formatted information from http exceptions
- Improve format of printed kerberos exceptions

- Integrate with htcondor, including these changes:
 - Change --authpath option name to --oidcpath.
 - Add --noidc option.
 - Add --vaulttokenttl option.
 - Make --vaulttokenfile default to /dev/stdout if the ttl is more than
    a million seconds, and also require it to start with /dev/std or
    /dev/fd if the ttl is more than a million seconds.
 - Add --vaulttokeninfile option.
 - Add --nobearertoken option.
 - Add --showbearerurl option.
 - Send progress output to stderr if --vaulttokenfile is /dev/stdout or
     --showbearerurl option is enabled.
- Use a separate version number for the python library downloads tarball.