kpasswd: Failed decrypting request

Ken Hornstein kenh at
Fri Aug 18 10:51:42 EDT 2006

>> If there are no plans to fix it (or it can't be fixed)... is there any 
>> possibility the error message could be a bit more descriptive?
>> I'm trying to deploy kerberos to a large number of users, many will be 
>> accessing our systems via the VPN and I'm sure this will be an issue.
>You cannot use the MIT kpasswd through a NAT.  The IP address of the
>client as seen by the server must match the one the client sees.
>When the IETF completes the new set/change password protocol I'm sure
>that MIT will consider implementing it.

If you can't wait for that, fixing the current server to work when the
client is behind a NAT is only about 20-30 lines of code.  I believe the
mailing list archives would show you the different solutions various
people have come up with.


More information about the Kerberos mailing list