(1) It won't allow a user whose home directory is in AFS to
authenticate using ssh keys, even if he has Kerberos
tickets to transfer.
You can fix this by setting "StrictModes no" in your sshd_config.
What bothers me is that you can't delegate credentials unless you have used
those credentials for login.