By default, Reflection forwards your Kerberos Ticket Granting Ticket (TGT) to the host after authentication.
You can disable ticket forwarding using any of the following techniques.
Edit the Secure Shell configuration file. Use one or both of the following lines, depending on which protocol(s) you use. The first line disables ticket forwarding for protocol version 1; the second for protocol version 2.
KerberosTgtPassing no GssapiDelegateCredentials no
To disable ticket forwarding for realms used by your principal profile, use the Kerberos Manager (if it is available on your system). While these changes affect Secure Shell sessions that are configured to use Reflection Kerberos, they do not affect sessions configured to use SSPI. Changes you make with the Kerberos Manager are ignored if you have configured ticket forwarding using either of the preceding techniques.