In normal operation, Kerberos only affects a users session when he first connects to a system, or when he establishes a connection to some service from that system. In the absence of any other security schemes, all other network traffic is sent entirely as cleartext. This means that the users Email, Zephyrs, logins to non-Kerberos machines, etc., are all vulnerable to ordinary packet sniffing. Furthermore, when a user saves a file to disk, Kerberos doesnt step in and encrypt the file. Therefore, any second user who can subvert UNIXs permission settings, for instance, a user with superuser access, can use any of the original users files without his knowledge or permission. In general, it is foolish to expect cleartext data stored on a network-accessible file system to be secure. It should also be noted that Kerberos cant be expected to achieve its intended goal if the users password is compromised outside of Kerberos protection.
Even considering these shortcomings, Kerberos is a very valuable system. As long as a user can be careful with his password, a responsibility that he would have with or without Kerberos, he can be fairly certain that another user will be unable to gain access to his account. Ironically, Kerberos could actually increase security more if it was completely invisible to the average user. Then, users wouldnt expect Athena to be more secure than any other large computer system, and would vigilantly protect their sensitive data. In the absence of this ideal situation, MIT users sense of security could be tamed slightly by keeping the MIT community informed of the limits of Kerberos.
Misconceptions about the purpose of Kerberos have caused some MIT users to consider Athena a completely secure system. Unfortunately, no single scheme can be expected to handle all of the security needs of a large network. Still, Kerberos represents a very effective component of a secure system, and is valuable whether complete security is desired or not.