From f37749adc7d2c67979f2438f50c1838f34a7d437 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Thu, 22 Jan 2026 20:56:28 -0600
Subject: [PATCH] kpasswdd: Allow password changes through NATs (fix #1286)

---
 kpasswd/kpasswdd.c | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/kpasswd/kpasswdd.c b/kpasswd/kpasswdd.c
index 43a733589..5f0dab13b 100644
--- a/kpasswd/kpasswdd.c
+++ b/kpasswd/kpasswdd.c
@@ -548,20 +548,12 @@ verify (krb5_auth_context *auth_context,
     krb_priv_data.length = len - 6 - ap_req_len;
 
     /*
-     * Only enforce client addresses on on tickets with addresses.  If
-     * its addressless, we are guessing its behind NAT and really
-     * can't know this information.
+     * Don't set the client's address as the remote on the auth_context so we
+     * don't check it in krb5_rd_priv(), so that password changes can be done
+     * behind NATs.  The idea is that the change/set password protocol isn't
+     * really susceptible to reflection attacks.  This is MIT's approach.
      */
 
-    if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
-	ret = krb5_auth_con_setaddrs (context, *auth_context,
-				      NULL, client_addr);
-	if (ret) {
-	    krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
-	    goto out;
-	}
-    }
-
     ret = krb5_rd_priv (context,
 			*auth_context,
 			&krb_priv_data,