SSH and Kerberos
Machines that are configured to use Kerberos for authentication are also configured to use kerberos authentication (GSS API) and delegation for outgoing SSH connections to other MCECS machines by default. This means that if you are physically logged into a workstation machine and you SSH to another computer you won’t have to enter your password again and your kerberos ticket will “follow” you to the computer you SSH’d into.
SSH To Machines That use Kerberos Authentication Using SSH Keys Won’t Work
Key-based authentication to machines that use Kerberos for authentication and for protecting NFS traffic either won’t work at all,or will work in unreliable and unpredictable ways. This is because your SSH public key resides in your home directory which is not available until you have a valid Kerberos ticket. It’s best to assume that it won’t work at all and use GSS API authentication to get authenticate to workstations and other Kerberos protected computers.
SSH From Machines That Don’t Use Kerberos Authentication
If a Linux computer doesn’t use Kerberos for authentication, and you are manually initializing a Kerberos ticket, and you want to ssh using GSSAPI (Kerberos) to get to workstation machines you might want to add something like the following to your ~/.ssh/config file:
HostbasedAuthentication no GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password
This will specify that you want to try using GSSAPI authentication and delegation when SSHing to any other PSU computers.