http://wiki.gfdl.noaa.gov/index.php/Accounts_@_GFDL:_FAQ#CAC

Sep 13, 2016 (jrl rehash of items on Wiki)

o Remote access when host is CAC enforced must be the following:
     -> ssh First.Last@ssh.gfdl.noaa.gov (w/ RSA)
     -> ssh public1 (username/password)
     -> ssh workstation (no authentication required)

o Users cannot go from ssh directly to their workstation

o VNC does not work with CAC enforced workstations. The work around is to use
  VNC with public1 or public2, then terminal to your workstation as needed.

o CAC will not work with Mac yet. If you have a Mac at home, to connect
  remotely, you will use your RSA token until a Mac solution is put into place.

o If a user loses their CAC, will there some temporary means of granting access
  to GFDL computers until a replacement CAC can be generated. We will provide
  secondary credentials on a case by case basis. For the most part, this should
  not be a problem. For cases where the CAC is getting frequently forgotten or
  lost, there may be some sort of delay in credential issuance.