Bug 1867 - add support for ~/.kusers ala ksu(1)
Summary: add support for ~/.kusers ala ksu(1)
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: 5.8p1
Hardware: All All
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-24 13:20 AEDT by Frank Cusack
Modified: 2014-12-05 06:01 AEDT (History)
2 users (show)

See Also:


Attachments
kusers patch (9.42 KB, patch)
2011-05-11 06:52 AEST, Frank Cusack
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Cusack 2011-02-24 13:20:40 AEDT
This patch adds ~/.kusers support to openssh.  It exactly mimics ksu(1) functionality.  Most importantly, the ability to limit the set of commands a user can run.  This is similar to the forced commands available with authorized_keys.

*Forced* commands could have been implemented but I felt it was better to remain 100% identical to ksu(1) behavior.
Comment 1 Damien Miller 2011-05-06 11:02:25 AEST
You forgot to attach the patch :)
Comment 2 Frank Cusack 2011-05-11 06:52:09 AEST
Created attachment 2044 [details]
kusers patch
Comment 3 Florian Weimer 2014-12-05 06:01:40 AEDT
We now consider the use of ~/.k5users in this patch a security vulnerability, and CVE-2014-9278 has been assigned to it:

  https://bugzilla.redhat.com/show_bug.cgi?id=1169843
  http://www.openwall.com/lists/oss-security/2014/12/04/17