diff --git a/changelog/unreleased/enhancement-eos-krb.md b/changelog/unreleased/enhancement-eos-krb.md
new file mode 100644
index 00000000000..85bb152da82
--- /dev/null
+++ b/changelog/unreleased/enhancement-eos-krb.md
@@ -0,0 +1,3 @@
+Enhancement: Streamline EOS SSS and UNIX modes
+
+https://github.com/cs3org/reva/pull/3713
diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go
index b17bdc772ed..37db6f5028a 100644
--- a/pkg/eosclient/eosbinary/eosbinary.go
+++ b/pkg/eosclient/eosbinary/eosbinary.go
@@ -110,6 +110,9 @@ type Options struct {
 
 	// SecProtocol is the comma separated list of security protocols used by xrootd.
 	// For example: "sss, unix"
+	// DEPRECATED
+	// This variable is no longer used. Only sss and unix protocols are possible.
+	// If UseKeytab is set to true the protocol will be set to "sss", else to "unix"
 	SecProtocol string
 
 	// TokenExpiry stores in seconds the time after which generated tokens will expire
@@ -168,8 +171,11 @@ func (c *Client) executeXRDCopy(ctx context.Context, cmdArgs []string) (string,
 	}
 
 	if c.opt.UseKeytab {
-		cmd.Env = append(cmd.Env, "XrdSecPROTOCOL="+c.opt.SecProtocol)
+		cmd.Env = append(cmd.Env, "XrdSecPROTOCOL=sss")
 		cmd.Env = append(cmd.Env, "XrdSecSSSKT="+c.opt.Keytab)
+	} else { // we are a trusted gateway
+		cmd.Env = append(cmd.Env, "XrdSecPROTOCOL=unix")
+		cmd.Env = append(cmd.Env, "KRB5CCNAME=FILE:/dev/null") // do not try to use krb
 	}
 
 	err := cmd.Run()
@@ -225,8 +231,11 @@ func (c *Client) executeEOS(ctx context.Context, cmdArgs []string, auth eosclien
 	}
 
 	if c.opt.UseKeytab {
-		cmd.Env = append(cmd.Env, "XrdSecPROTOCOL="+c.opt.SecProtocol)
+		cmd.Env = append(cmd.Env, "XrdSecPROTOCOL=sss")
 		cmd.Env = append(cmd.Env, "XrdSecSSSKT="+c.opt.Keytab)
+	} else { // we are a trusted gateway
+		cmd.Env = append(cmd.Env, "XrdSecPROTOCOL=unix")
+		cmd.Env = append(cmd.Env, "KRB5CCNAME=FILE:/dev/null") // do not try to use krb
 	}
 
 	cmd.Args = append(cmd.Args, cmdArgs...)