Machines that are configured to use Kerberos for authentication are also configured to use kerberos authentication (GSS API) and delegation for outgoing SSH connections to other MCECS machines by default. This means that if you are physically logged into a workstation machine and you SSH to another computer you won’t have to enter your password again and your kerberos ticket will “follow” you to the computer you SSH’d into.

Key-based authentication to machines that use Kerberos for authentication and for protecting NFS traffic either won’t work at all,or will work in unreliable and unpredictable ways. This is because your SSH public key resides in your home directory which is not available until you have a valid Kerberos ticket. It’s best to assume that it won’t work at all and use GSS API authentication to get authenticate to workstations and other Kerberos protected computers.

If a Linux computer doesn’t use Kerberos for authentication, and you are manually initializing a Kerberos ticket, and you want to ssh using GSSAPI (Kerberos) to get to workstation machines you might want to add something like the following to your ~/.ssh/config file:

Host *.pdx.edu

HostbasedAuthentication no

GSSAPIAuthentication yes

GSSAPIDelegateCredentials yes

PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password

This will specify that you want to try using GSSAPI authentication and delegation when SSHing to any other PSU computers.