Kerberos

In the Kerberos scheme there is a trusted (probably physically protected) computer that is trusted to know who should have access to what. Never mind how it comes by this information. More precisely the security server knows which users should have access to which servers.

As unspoken assumption is that a user’s computer, the client, does just what the user wants it to do. This does not mean that the client trusts the user.

Compromise of the client allows stealing the identity and Kerberos authority of any user that uses that client.

The client can effectively vouch for the identity of the user if the user trusts the client with his password, which, of course, he must do each time he uses the client to pass the password to the security server.

In a Kerberos installation the user is typically trusted to vouch for the integrity of his client. At least the client is in a position to steal the user’s identity and abuse his authority at least until the user’s password changes and beyond that if the client serves to change the password. The client can probably deny service by changing the user’s password but then the user is likely to notice.

It is possible for the security server to trust selected clients and (harder) to provide trust worthy clients. If the user is able to distinguish such trusted clients then he can guard his identity. A compromised client can steal only the identities of the users that use that client.

The issue is the trust that the security server places in a particular client. There are two interesting cases ...