The basis of the RCF Single Sign On infrastructure is the Kerberos Network Authentication Protocol. When you authenticate to a Kerberos server (KDC), you are given a Kerberos ticket granting ticket or TGT. This TGT can be thought of as a document that says your identity has been verified. This TGT, in combination with "Kerberos aware" applications, can be used to provide an environment where you only need to authenticate once. Accessing services that require authentication will automatically use your TGT for authentication. By design, the TGT has a limited lifetime (5 days from initial authentication at the RCF).

At the RCF, the Ssh client and server have been modified to be Kerberos aware, thus allowing you to move between systems without a password. The Ssh servers have been modified to accept a Kerberos 5 password for authentication and will automatically obtain a Kerberos TGT during the login process (If a Kerberos 5 password was used at the login prompt.) In addition, the Ssh servers have been modified to accept a Kerberos 5 TGT as a replacement for a password. (This latter modification provides the ability to move between systems without typing a password.)

In addition to being modified to be Kerberos aware, the login process at the RCF has been modified to automatically obtain an AFS token when you authenticate with Kerberos.