Bug 1867

Summary: add support for ~/.kusers ala ksu(1)
Product: Portable OpenSSH Reporter: Frank Cusack <frank+ssh>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: djm, fweimer
Priority: P2    
Version: 5.8p1   
Hardware: All   
OS: All   
Attachments:
Description Flags
kusers patch none

Description Frank Cusack 2011-02-24 13:20:40 AEDT 
This patch adds ~/.kusers support to openssh.  It exactly mimics ksu(1) functionality.  Most importantly, the ability to limit the set of commands a user can run.  This is similar to the forced commands available with authorized_keys.

*Forced* commands could have been implemented but I felt it was better to remain 100% identical to ksu(1) behavior.
Comment 1 Damien Miller 2011-05-06 11:02:25 AEST 
You forgot to attach the patch :)
Comment 2 Frank Cusack 2011-05-11 06:52:09 AEST 
Created attachment 2044 [details]
kusers patch
Comment 3 Florian Weimer 2014-12-05 06:01:40 AEDT 
We now consider the use of ~/.k5users in this patch a security vulnerability, and CVE-2014-9278 has been assigned to it:

  https://bugzilla.redhat.com/show_bug.cgi?id=1169843
  http://www.openwall.com/lists/oss-security/2014/12/04/17