restricting principals to certain commands only (like ssh's "forced command")

[Mikhail T.]

Hello!

We are using Kerberos throughout, but one feature of ssh 
"authorized_keys" feels missing...

We'd like to be able to limit principles to only be able to execute 
certain commands.

It would seem, that the ~/.k5users file allows that, but that is only 
consulted by ksu(1).

How can I allow a certain key to login as myself, but only to execute a 
particular command -- not complete shell? Thanks! Yours,

    -mi