1. Get a (sufficiently recent) kerberized ssh, e.g.
     env ACCEPT_KEYWORDS=kerberos openssh

2. Make sure there are no public keys for your client in
   .ssh/authorized_keys on the server (or otherwise disable SSH
   publickey authentication)

3. Put the following into your client's ~/.ssh/config

   Host norlx01.albanova.se
     # enable Krb5 over SSH-2
     GSSAPIAuthentication      yes
     GSSAPIDelegateCredentials yes

4. Get a ticket:
     kinit <user>@PHYSTO.SE -f

5. That's it:
     ssh norlx01.albanova.se