This patch adds ~/.kusers support to openssh. It exactly mimics ksu(1) functionality. Most importantly, the ability to limit the set of commands a user can run. This is similar to the forced commands available with authorized_keys. *Forced* commands could have been implemented but I felt it was better to remain 100% identical to ksu(1) behavior.
You forgot to attach the patch :)
Created attachment 2044 [details] kusers patch
We now consider the use of ~/.k5users in this patch a security vulnerability, and CVE-2014-9278 has been assigned to it: https://bugzilla.redhat.com/show_bug.cgi?id=1169843 http://www.openwall.com/lists/oss-security/2014/12/04/17