Mostly it's based on this:
Unfortunately the CERN docs is slightly mis-leading so here to go. This guide should work on any Linux distribution as long as you're not running a fossil.
How-to
First, to obtain the Kerberos ticket:
kinit -f {your username}@CERN.CHthe capital CERN.CH is required, and the -f flag requests the ticket to be forwardable.[1] You can also use flags such as -l and -r to specify expiration and renew etc.
Then, verify that it works by:
klist -fyou should see something has a Flags: FIA. I assume F means forward. (you can get R{something} if you didn't run with the -f).
Then, edit your /etc/ssh/ssh_config or user-specific ~/.ssh/config and add rules for lxplus*:
HOST lxplus*
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yesThe CERN docs also says GSSAPITrustDns yes but that one is not available in unmodified OpenSSH even though it also appears in certain manual.
Because we could not have the GSSAPITrustDns, a specific node needs to be set:
ssh {username}@lxplus700.cern.chinstead of
ssh {username}@lxplus.cern.chAnd everything should work. If not, do ssh -v instead and look for what went wrong and consult the troubleshooting section on CERN docs.
Extras.
If you are on Debian-based Linux, it is already patched and you can use GSSAPITrustDns option, see here, if you're on Arch-based system, like I am, your best bet is use the ported patched OpenSSH, which is available on AUR. CERN doc:
Please don't refer to particular machines when connecting to the LXPLUS cluster, ...
[1] https://web.mit.edu/kerberos/krb5-1.12/doc/user/tkt_mgmt.html