kdc: do not include PAC for anonymous AS requests

The PAC will typically contain information that may reveal the identity of a
principal. Do not include it for anonymous requests, at least until such time
as the PAC plugin API supports indicating that the request was anonymous.

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index d189b778345bd9c50850b0545ae319a116b1c714..9d6bedb1004feb63923943e734e2ca7cee002b25 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2239,7 +2239,7 @@ _kdc_as_rep(kdc_request_t r,
     }
 
     /* Add the PAC */
-    if (send_pac_p(context, req)) {
+    if (send_pac_p(context, req) && !_kdc_is_anon_request(b)) {
        generate_pac(r, skey);
     }