Of course you can set up your ssh directory so that your public keys are world readable, but I thought the question was how to get afs tokens on the server side. Did I misunderstand? The proposed solution of passing afs tokens before ssh authentication is obviously a bad idea.