When using Kerberos as SSO protocol: If a user logs into his/her workstation there's a ticket-granting ticket (TGT) stored in the user's session (e.g. file). With this TGT the user can obtain service tickets for accessing other "kerberized" services, e.g. SSH servers.
This assumes that your security policy allows all systems to be accessed with a common account.
