(CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tid) op: Equal rhs: {(DQ ('ssh with certificates'))} spids: [7] ) ] spids: [7] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/user_key) (Lit_Other '*')} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/cert_user_key) (Lit_Other '*')}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key1)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key2)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key1)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key2)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key3)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key4)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key5)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key1)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-z)} {($ VSub_Dollar '$$')} {(-n)} {(${ VSub_Name USER)} {($ VSub_Name '$OBJ') (/user_key1)} ) (C {(fatal)} {(DQ ("couldn't sign user_key1 with user_ca_key1"))}) ] op_id: Op_DPipe ) (C {(mv)} {($ VSub_Name '$OBJ') (/user_key1-cert.pub)} {($ VSub_Name '$OBJ') (/cert_user_key1_1.pub)} ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key2)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-z)} {($ VSub_Dollar '$$')} {(-n)} {(${ VSub_Name USER)} {($ VSub_Name '$OBJ') (/user_key1)} ) (C {(fatal)} {(DQ ("couldn't sign user_key1 with user_ca_key2"))}) ] op_id: Op_DPipe ) (C {(mv)} {($ VSub_Name '$OBJ') (/user_key1-cert.pub)} {($ VSub_Name '$OBJ') (/cert_user_key1_2.pub)} ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key1)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-z)} {($ VSub_Dollar '$$')} {(-n)} {(${ VSub_Name USER)} {($ VSub_Name '$OBJ') (/user_key3)} ) (C {(fatal)} {(DQ ("couldn't sign user_key3 with user_ca_key1"))}) ] op_id: Op_DPipe ) (C {(rm)} {($ VSub_Name '$OBJ') (/user_key3.pub)}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key1)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-z)} {($ VSub_Dollar '$$')} {(-n)} {(${ VSub_Name USER)} {($ VSub_Name '$OBJ') (/user_key4)} ) (C {(fatal)} {(DQ ("couldn't sign user_key4 with user_ca_key1"))}) ] op_id: Op_DPipe ) (C {(rm)} {($ VSub_Name '$OBJ') (/user_key4)} {($ VSub_Name '$OBJ') (/user_key4.pub)}) (C {(trace)} {(SQ <'try with identity files'>)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts) op: Equal rhs: {(DQ ('-F ') ($ VSub_Name '$OBJ') ('/ssh_proxy -oIdentitiesOnly=yes'))} spids: [466] ) ] spids: [466] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts2) op: Equal rhs: { (DQ ($ VSub_Name '$opts') (' -i ') ($ VSub_Name '$OBJ') ('/user_key1 -i ') ($ VSub_Name '$OBJ') (/user_key2) ) } spids: [473] ) ] spids: [473] ) (SimpleCommand words: [ {(echo)} { (DQ ('cert-authority ') (CommandSubPart command_list: (CommandList children: [(C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key1.pub)})] ) left_token: <Left_CommandSub '$('> spids: [487 492] ) ) } ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [495] ) ] ) (Pipeline children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/ssh_proxy)}) (SimpleCommand words: [{(grep)} {(-v)} {(IdentityFile)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/no_identity_config)} spids: [518] ) ] ) ] negated: False ) (ForEach iter_name: p iter_words: [{(${ VSub_Name SSH_PROTOCOLS)}] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} {(DQ ('protocol ') ($ VSub_Name '$p') (': identity cert with no plain public file'))} ) (C {(${ VSub_Name SSH)} {(-F)} {($ VSub_Name '$OBJ') (/no_identity_config)} {(-oIdentitiesOnly) (Lit_Other '=') (yes)} {(-i)} {($ VSub_Name '$OBJ') (/user_key3)} {(somehost)} {(exit)} {(5) ($ VSub_Name '$p')} ) (AndOr children: [ (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(5) ($ VSub_Name '$p')} {(Lit_Other ']')} ) (C {(fail)} {(DQ ('ssh failed'))}) ] op_id: Op_DAmp ) (C {(verbose)} {(DQ ('protocol ') ($ VSub_Name '$p') (': CertificateFile with no plain public file'))} ) (C {(${ VSub_Name SSH)} {(-F)} {($ VSub_Name '$OBJ') (/no_identity_config)} {(-oIdentitiesOnly) (Lit_Other '=') (yes)} {(-oCertificateFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/user_key3-cert.pub)} {(-i)} {($ VSub_Name '$OBJ') (/user_key3)} {(somehost)} {(exit)} {(5) ($ VSub_Name '$p')} ) (AndOr children: [ (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(5) ($ VSub_Name '$p')} {(Lit_Other ']')} ) (C {(fail)} {(DQ ('ssh failed'))}) ] op_id: Op_DAmp ) (C {(verbose)} {(DQ ('protocol ') ($ VSub_Name '$p') (': plain keys'))}) (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts2')} {(somehost)} {(exit)} {(5) ($ VSub_Name '$p')} ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:r) op: Equal rhs: {($ VSub_QMark '$?')} spids: [703] ) ] spids: [703] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$r')} {(-eq)} {(5) ($ VSub_Name '$p')} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh succeeded with no certs in protocol ') ($ VSub_Name '$p'))}) ] spids: [-1 721] ) ] spids: [-1 732] ) (C {(verbose)} {(DQ ('protocol ') ($ VSub_Name '$p') (': untrusted cert'))}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts3) op: Equal rhs: { (DQ ($ VSub_Name '$opts2') (' -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key1_2.pub) ) } spids: [749] ) ] spids: [749] ) (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts3')} {(somehost)} {(exit)} {(5) ($ VSub_Name '$p')} ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:r) op: Equal rhs: {($ VSub_QMark '$?')} spids: [772] ) ] spids: [772] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$r')} {(-eq)} {(5) ($ VSub_Name '$p')} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh succeeded with bad cert in protocol ') ($ VSub_Name '$p'))}) ] spids: [-1 790] ) ] spids: [-1 801] ) (C {(verbose)} {(DQ ('protocol ') ($ VSub_Name '$p') (': good cert, bad key'))}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts3) op: Equal rhs: {(DQ ($ VSub_Name '$opts') (' -i ') ($ VSub_Name '$OBJ') (/user_key2))} spids: [818] ) ] spids: [818] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts3) op: Equal rhs: { (DQ ($ VSub_Name '$opts3') (' -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key1_1.pub) ) } spids: [827] ) ] spids: [827] ) (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts3')} {(somehost)} {(exit)} {(5) ($ VSub_Name '$p')} ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:r) op: Equal rhs: {($ VSub_QMark '$?')} spids: [850] ) ] spids: [850] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$r')} {(-eq)} {(5) ($ VSub_Name '$p')} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh succeeded with no matching key in protocol ') ($ VSub_Name '$p'))} ) ] spids: [-1 868] ) ] spids: [-1 879] ) (C {(verbose)} {(DQ ('protocol ') ($ VSub_Name '$p') (': single trusted'))}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts3) op: Equal rhs: { (DQ ($ VSub_Name '$opts2') (' -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key1_1.pub) ) } spids: [896] ) ] spids: [896] ) (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts3')} {(somehost)} {(exit)} {(5) ($ VSub_Name '$p')} ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:r) op: Equal rhs: {($ VSub_QMark '$?')} spids: [919] ) ] spids: [919] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$r')} {(-ne)} {(5) ($ VSub_Name '$p')} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh failed with trusted cert and key in protocol ') ($ VSub_Name '$p'))} ) ] spids: [-1 937] ) ] spids: [-1 948] ) (C {(verbose)} {(DQ ('protocol ') ($ VSub_Name '$p') (': multiple trusted'))}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts3) op: Equal rhs: { (DQ ($ VSub_Name '$opts2') (' -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key1_2.pub) ) } spids: [965] ) ] spids: [965] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts3) op: Equal rhs: { (DQ ($ VSub_Name '$opts3') (' -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key1_1.pub) ) } spids: [974] ) ] spids: [974] ) (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts3')} {(somehost)} {(exit)} {(5) ($ VSub_Name '$p')} ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:r) op: Equal rhs: {($ VSub_QMark '$?')} spids: [997] ) ] spids: [997] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$r')} {(-ne)} {(5) ($ VSub_Name '$p')} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh failed with multiple certs in protocol ') ($ VSub_Name '$p'))} ) ] spids: [-1 1015] ) ] spids: [-1 1026] ) ] spids: [542 1028] ) spids: [536 540] ) (SimpleCommand words: [{(${ VSub_Name SSHADD)} {(-l)}] redirects: [ (Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[1043]) (Redir op_id:Redir_GreatAnd fd:2 arg_word:{(1)} spids:[1047]) ] more_env: [(env_pair name:SSH_AUTH_SOCK val:{(/nonexistent)} spids:[1034])] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(2)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fatal)} {(DQ ('ssh-add -l did not fail with exit code 2'))})] spids: [-1 1063] ) ] spids: [-1 1072] ) (C {(trace)} {(DQ ('start agent'))}) (SimpleCommand words: [ {(eval)} { (CommandSubPart command_list: (CommandList children:[(C {(${ VSub_Name SSHAGENT)} {(-s)})]) left_token: <Left_Backtick '`'> spids: [1083 1089] ) } ] redirects: [(Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[1091])] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:r) op:Equal rhs:{($ VSub_QMark '$?')} spids:[1095])] spids: [1095] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$r')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fatal)} {(DQ ('could not start ssh-agent: exit code ') ($ VSub_Name '$r'))})] spids: [-1 1111] ) ] spids: [-1 1121] ) (SimpleCommand words: [{(${ VSub_Name SSHADD)} {(-k)} {($ VSub_Name '$OBJ') (/user_key2)}] redirects: [ (Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[1136]) (Redir op_id:Redir_GreatAnd fd:2 arg_word:{(1)} spids:[1140]) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fatal)} {(DQ ('ssh-add did not succeed with exit code 0'))})] spids: [-1 1156] ) ] spids: [-1 1165] ) (SimpleCommand words: [{(${ VSub_Name SSHADD)} {(-k)} {($ VSub_Name '$OBJ') (/user_key1)}] redirects: [ (Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[1176]) (Redir op_id:Redir_GreatAnd fd:2 arg_word:{(1)} spids:[1180]) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fatal)} {(DQ ('ssh-add did not succeed with exit code 0'))})] spids: [-1 1196] ) ] spids: [-1 1205] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts) op: Equal rhs: {(DQ ('-F ') ($ VSub_Name '$OBJ') (/ssh_proxy))} spids: [1214] ) ] spids: [1214] ) (C {(${ VSub_Name SSH)} {(-2)} {($ VSub_Name '$opts')} {(somehost)} {(exit)} {(52)}) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(52)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh connect with agent in protocol 2 succeeded with no cert'))})] spids: [-1 1251] ) ] spids: [-1 1260] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts) op: Equal rhs: { (DQ ($ VSub_Name '$opts') (' -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key1_2.pub) ) } spids: [1266] ) ] spids: [1266] ) (C {(${ VSub_Name SSH)} {(-2)} {($ VSub_Name '$opts')} {(somehost)} {(exit)} {(52)}) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(52)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh connect with agent in protocol 2 succeeded with bad cert'))})] spids: [-1 1301] ) ] spids: [-1 1310] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts) op: Equal rhs: { (DQ ($ VSub_Name '$opts') (' -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key1_1.pub) ) } spids: [1316] ) ] spids: [1316] ) (C {(${ VSub_Name SSH)} {(-2)} {($ VSub_Name '$opts')} {(somehost)} {(exit)} {(52)}) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(52)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh connect with agent in protocol 2 failed with good cert'))})] spids: [-1 1351] ) ] spids: [-1 1360] ) (C {(trace)} {(DQ ('kill agent'))}) (SimpleCommand words: [{(${ VSub_Name SSHAGENT)} {(-k)}] redirects: [(Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[1375])] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/user_key) (Lit_Other '*')} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/cert_user_key) (Lit_Other '*')}) ] )