From 8a67a1f77c25a9d070999a26e7bb89207758b92a Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Fri, 23 Jan 2026 00:36:05 -0600
Subject: [PATCH] Revert "kpasswdd: Allow password changes through NATs (fix
 #1286)"

This reverts commit f37749adc7d2c67979f2438f50c1838f34a7d437.
---
 kpasswd/kpasswdd.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/kpasswd/kpasswdd.c b/kpasswd/kpasswdd.c
index 5f0dab13b..43a733589 100644
--- a/kpasswd/kpasswdd.c
+++ b/kpasswd/kpasswdd.c
@@ -548,12 +548,20 @@ verify (krb5_auth_context *auth_context,
     krb_priv_data.length = len - 6 - ap_req_len;
 
     /*
-     * Don't set the client's address as the remote on the auth_context so we
-     * don't check it in krb5_rd_priv(), so that password changes can be done
-     * behind NATs.  The idea is that the change/set password protocol isn't
-     * really susceptible to reflection attacks.  This is MIT's approach.
+     * Only enforce client addresses on on tickets with addresses.  If
+     * its addressless, we are guessing its behind NAT and really
+     * can't know this information.
      */
 
+    if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
+	ret = krb5_auth_con_setaddrs (context, *auth_context,
+				      NULL, client_addr);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
+	    goto out;
+	}
+    }
+
     ret = krb5_rd_priv (context,
 			*auth_context,
 			&krb_priv_data,