Password changing from behind a NAT

[Sam Hartman]

>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

    >> We do not consider this a solution because of the reflection
    >> problems.
    Ken> So, I had to look at this to understand the risks here.

The kpasswd protocol may be safe from reflections.  I'm very
uncomfortable with breaking the krb_priv abstraction or introducing a
general security problem for krb_priv.