.k5login and non-kerberized ssh client

[Ryan Boyd]

Problem:
I have a need for users to use their individual accounts to maintain websites owned by another account and I'm exploring different options to handle this.  
For example,a website owned by 'wsowner' needs to be accessed by users 'user1','user2','user3' and more over non-kerberized SSH and SFTP clients.


Possible solution 1:
I have tried using a .k5login file in wsowner'shome directory and allowing access to 'user1 at DOMAIN.TLD','user2 at DOMAIN.TLD' and 'user3 at DOMAIN.TLD'.  'user1' can login over an ssh connection with a ssh.com ssh server and, from what I can tell, sshd acquires a kerberos ticket on behalf of the user.  'user1' can then, over a ssh.com ssh session, ksu to 'wsowner'.  I also presume that a user logged in as 'user1 at DOMAIN.TLD' could connect via a kerberized ssh or sftp client and access the 'wsowner' account directly.

However, I would like some way for a non-kerberized ssh/sftp client to login directly as 'wsowner' using the credentials of, for example, 'user1 at DOMAIN.TLD'.  Is this at all possible?


Possible solution 2:
Create users 'wsowner'-'user1' in the /etc/passwd file with the same UID of 'wsowner'.  Map the user to the password for 'user1' somehow via kerberos (using auth_to_local, auth_to_local_names ?)


Has anyone had any experience in solving a similiar problem?  Any suggestions?

Thanks,
-Ryan