Mostly it's based on this:

Unfortunately the CERN docs is slightly mis-leading so here to go. This guide should work on any Linux distribution as long as you're not running a fossil.


First, to obtain the Kerberos ticket:

kinit -f {your username}@CERN.CH

the capital CERN.CH is required, and the -f flag requests the ticket to be forwardable.[1] You can also use flags such as -l and -r to specify expiration and renew etc.

Then, verify that it works by:

klist -f

you should see something has a Flags: FIA. I assume F means forward. (you can get R{something} if you didn't run with the -f).

Then, edit your /etc/ssh/ssh_config or user-specific ~/.ssh/config and add rules for lxplus*:

HOST lxplus*
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

The CERN docs also says GSSAPITrustDns yes but that one is not available in unmodified OpenSSH even though it also appears in certain manual.

Because we could not have the GSSAPITrustDns, a specific node needs to be set:

ssh {username}

instead of

ssh {username}

And everything should work. If not, do ssh -v instead and look for what went wrong and consult the troubleshooting section on CERN docs.

Debian-based distributions

If you are on Debian-based Linux, OpenSSH is already patched and you can use GSSAPITrustDns yes option in ~/.ssh/config, this allows you to ssh {username} and let the DNS point you to a specific node for load balancing.

See this patch,

Arch-based distributions

if you're on Arch-based system, to get the equivalent of GSSAPITrustDns yes, you need to edit Kerberos options, see this StackExchange post.

You want to edit /etc/krb5.conf to include:

    rdns = false