Hi Justin,
what you wish to accomplish can in fact be achieved through ssh localhost login.
Say you have the two users appl and dba.
Now appl needs to login to dba's account on the same host.
I will use these prompts to indicate each's login in the examples "[appl]$" and "[dba]$".
From root login do a "su - appl".
In case the SSH subdir ~appl/.ssh doesn't yet exist it's easiest to do a localhost login to dba and abort when asked for a password.
SSH will then automagically create .shh dir with correct mode bits and add the host key of localhost to the file .ssh/known_hosts
[appl]$ ssh dba@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 5d:2c:2d:b1:b2:7c:89:52:d6:53:ae:bd:cf:fd:0b:de.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
fiddle@localhost's password:
Abort at the password prompt with ^C for now.
Now you need to create a pair of keys for RSA
authentication that after creation will be stored in dba's SSH config.
[appl]$ ssh-keygen -t rsa -b 1024 -N "" -f ~/.ssh/id_rsa_dba_localhost
Generating public/private rsa key pair.
Your identification has been saved in /home/appl/.ssh/id_rsa_dba_localhost.
Your public key has been saved in /home/appl/.ssh/id_rsa_dba_localhost.pub.
The key fingerprint is:
35:f6:88:76:db:5f:0d:34:81:d5:1b:52:a7:7c:ae:3d appl@applshost.tld
Now exit to return back to root's login,
and do "su - dba".
As dba you also do a localhost login to appl to automatically have the .ssh subdir created shouldn't it yet exist.
[dba]$ ssh appl@localhost
Again abort when asked for password.
Now dba has to create the authorized_keys file shouldn't it yet exist.
[dba]$ ( umask 0022; touch ~/.ssh/authorized_keys )
Exit from dba to come back to root's login.
As root you now need to copy appl's newly generated public RSA key into dba's authorized_keys file.
# cat ~appl/.ssh/id_rsa_dba_localhost.pub >> ~dba/.ssh/authorized_keys
Voila, now appl should be able to login to dba@localhost without being asked for a password anymore.
As root do "su - appl", and try a first login to dba.
[appl]$ ssh -i ~/.ssh/id_rsa_dba_localhost dba@localhost
Because it is quite cumbersome to always having to type the identity key's path (followed after the -i switch) you can generate a file ~appl/.ssh/config and place there an entry for localhost logins of appl.
You have to assign the values for the "Host" and "IdentityFile" attributes accordingly.
See "man ssh_config" for details and format of the file as well as other numerous options.
Since your appl user now should be able to login to dba he as well can run any command as dba just the way you would do by the remsh command.
HTH
Madness, thy name is system administration
