From 7a7eb9de2fc93e54362b4c8b9ecc15294bc1c762 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 2 May 2019 16:57:51 +1000
Subject: [PATCH] kdc: do not include PAC for anonymous AS requests

The PAC will typically contain information that may reveal the identity of a
principal. Do not include it for anonymous requests, at least until such time
as the PAC plugin API supports indicating that the request was anonymous.
---
 kdc/kerberos5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index d189b7783..9d6bedb10 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2239,7 +2239,7 @@ _kdc_as_rep(kdc_request_t r,
     }
 
     /* Add the PAC */
-    if (send_pac_p(context, req)) {
+    if (send_pac_p(context, req) && !_kdc_is_anon_request(b)) {
 	generate_pac(r, skey);
     }