Server:
- Put appropritate krb5.conf krb5.keytab in place.
- Make your account directory information appear on this machine (I use hesiod).
- Make some sort of home directory (I use afs and amd to do this)
- Set these options in /etc/ssh/sshd_config:
KerberosAuthentication yes KerberosGetAFSToken yes GSSAPIAuthentication yes UsePam no
- Install heimdal from pkgsrc
- add the following to /etc/ssh/sshrc
/usr/pkg/bin/afslog -c nameofyourlocalcell
Log in with an appropriately smart ssh client where you have forwardable kerberos credentials. "Appropriately smart" means "understands gssapi-with-mic and actually tries to do it" --- see the previous entry for details on that. See the client configurations listed here. The afslog in sshrc allows you to get afs tokens when you login via gssapi-with-mic --- the forwarded kerberos credentials are just plopped down, and aren't used to automatically get afs tokens.
Neatly, I noticed that console logins Just Work. Spiffy.