I think Kerberos is the right solution for most, but for completeness sake, you can also use SSH with X.509 certs with gsissh (http://grid.ncsa.illinois.edu/ssh/).

X.509 certs are hell harder to manage, but they are safer (compared with ssh private keys), including a mandatory expiration date in each cert. In the end of the day, each user or service has to regenerate it's private key once per year. It's decouple the authentication/authorization problem. But you get some new issues as well...

But is the only one that follow a standard (Widget 1.0 Compliance - http://www.w3.org/TR/widgets/), if you consider this draft a standard.