Revert "kpasswdd: Allow password changes through NATs (fix #1286)"

This reverts commit f37749adc7.
2026-01-23 00:36:05 -06:00
parent 26dca502be
commit 8a67a1f77c
1 changed files with 12 additions and 4 deletions
--- a/kpasswd/kpasswdd.c
+++ b/kpasswd/kpasswdd.c
@@ -548,12 +548,20 @@ verify (krb5_auth_context *auth_context,
    krb_priv_data.length = len - 6 - ap_req_len;

    /*
-     * Don't set the client's address as the remote on the auth_context so we
-     * don't check it in krb5_rd_priv(), so that password changes can be done
-     * behind NATs.  The idea is that the change/set password protocol isn't
-     * really susceptible to reflection attacks.  This is MIT's approach.
+     * Only enforce client addresses on on tickets with addresses.  If
+     * its addressless, we are guessing its behind NAT and really
+     * can't know this information.
     */

+    if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
+	ret = krb5_auth_con_setaddrs (context, *auth_context,
+				      NULL, client_addr);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
+	    goto out;
+	}
+    }
+
    ret = krb5_rd_priv (context,
 			*auth_context,
 			&krb_priv_data,