there should be a new firstname.lastname@example.org account, where this email@example.com account should be merged with.
Just to confirm that the new @freebsd.org account exists.
How is simply resetting the kpasswd via SSH using the right @freebsd user name not an easy route for a denial of service? (E.g. anyone can reset the kerberos passwords for all commiters, who have to recover their passwords tediously thereafter, no?
(In reply to Richard Scheffenegger from comment #1)
Accounts have been merged. Closing PR as fixed.
You can reset the user's password only if you have user's private SSH key to login to the kpasswd server. Without it attacker can only get this far:
% ssh firstname.lastname@example.org
Permission denied (publickey).