(CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tid) op: Equal rhs: {(DQ ('certified host keys'))} spids: [7] ) ] spids: [7] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/known_hosts-cert) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/host_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/host_revoked_) (Lit_Other '*')} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/cert_host_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/host_krl_) (Lit_Other '*')} ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:types) op:Equal rhs:{(DQ )} spids:[45])] spids: [45] ) (ForEach iter_name: i iter_words: [ { (CommandSubPart command_list: (CommandList children:[(C {($ VSub_Name '$SSH')} {(-Q)} {(key)})]) left_token: <Left_Backtick '`'> spids: [55 61] ) } ] do_arg_iter: False body: (DoGroup children: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(-z)} {(DQ ($ VSub_Name '$types'))} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:types) op: Equal rhs: {(DQ ($ VSub_Name '$i'))} spids: [83] ) ] spids: [83] ) (ControlFlow token:<ControlFlow_Continue continue>) ] spids: [-1 80] ) ] spids: [-1 92] ) (Case to_match: {(DQ ($ VSub_Name '$i'))} arms: [ (case_arm pat_list: [{(Lit_Other '*') (cert) (Lit_Other '*')}] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:types) op: Equal rhs: {(DQ ($ VSub_Name '$i') (',') ($ VSub_Name '$types'))} spids: [109] ) ] spids: [109] ) ] spids: [104 107 115 -1] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:types) op: Equal rhs: {(DQ ($ VSub_Name '$types') (',') ($ VSub_Name '$i'))} spids: [121] ) ] spids: [121] ) ] spids: [118 119 127 -1] ) ] spids: [95 101 130] ) ] spids: [64 132] ) spids: [54 62] ) (Subshell child: (CommandList children: [ (C {(echo)} {(DQ ('HostKeyAlgorithms ') (${ VSub_Name types))}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes *'))}) ] ) redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/ssh_proxy)} spids: [155] ) ] spids: [134 153] ) (C {(cp)} {($ VSub_Name '$OBJ') (/sshd_proxy)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (Subshell child: (CommandList children: [ (C {(echo)} {(DQ ('HostKeyAlgorithms *'))}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes *'))}) ] ) redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy_bak)} spids: [186] ) ] spids: [168 184] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:HOSTS) op: Equal rhs: {(SQ <'localhost-with-alias,127.0.0.1,::1'>)} spids: [192] ) ] spids: [192] ) (FuncDef name: kh_ca body: (BraceGroup children: [ (ForEach iter_name: k iter_words: [{(DQ ($ VSub_At '$@'))}] do_arg_iter: False body: (DoGroup children: [ (C {(printf)} {(DQ ('@cert-authority ') ($ VSub_Name '$HOSTS') (' '))}) (AndOr children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/) ($ VSub_Name '$k')}) (C {(fatal)} {(DQ ("couldn't cat ") ($ VSub_Name '$k'))}) ] op_id: Op_DPipe ) ] spids: [217 245] ) spids: [210 215] ) ] spids: [202] ) spids: [198 201] ) (FuncDef name: kh_revoke body: (BraceGroup children: [ (ForEach iter_name: k iter_words: [{(DQ ($ VSub_At '$@'))}] do_arg_iter: False body: (DoGroup children: [ (C {(printf)} {(DQ ('@revoked * '))}) (AndOr children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/) ($ VSub_Name '$k')}) (C {(fatal)} {(DQ ("couldn't cat ") ($ VSub_Name '$k'))}) ] op_id: Op_DPipe ) ] spids: [268 294] ) spids: [261 266] ) ] spids: [253] ) spids: [249 252] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/host_ca_key)} ) (C {(fail)} {(DQ ('ssh-keygen of host_ca_key failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(rsa)} {(-f)} {($ VSub_Name '$OBJ') (/host_ca_key2)} ) (C {(fail)} {(DQ ('ssh-keygen of host_ca_key failed'))}) ] op_id: Op_DPipe ) (SimpleCommand words: [{(kh_ca)} {(host_ca_key.pub)} {(host_ca_key2.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} spids: [370] ) ] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)}) (C {(touch)} {($ VSub_Name '$OBJ') (/host_revoked_empty)}) (C {(touch)} {($ VSub_Name '$OBJ') (/host_revoked_plain)}) (C {(touch)} {($ VSub_Name '$OBJ') (/host_revoked_cert)}) (SimpleCommand words: [ {(cat)} {($ VSub_Name '$OBJ') (/host_ca_key.pub)} {($ VSub_Name '$OBJ') (/host_ca_key2.pub)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/host_revoked_ca)} spids: [410] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:PLAIN_TYPES) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {($ VSub_Name '$SSH')} {(-Q)} {(key-plain)}) (C {(sed)} {(SQ <'s/^ssh-dss/ssh-dsa/g;s/^ssh-//'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [417 431] ) } spids: [416] ) ] spids: [416] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(echo)} {(DQ ($ VSub_Name '$PLAIN_TYPES'))}) (SimpleCommand words: [{(grep)} {(SQ <'^rsa$'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [450] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [453] ) ] ) ] negated: False ) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:PLAIN_TYPES) op: Equal rhs: {(DQ ($ VSub_Name '$PLAIN_TYPES') (' rsa-sha2-256 rsa-sha2-512'))} spids: [461] ) ] spids: [461] ) ] spids: [-1 458] ) ] spids: [-1 467] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-kf)} {($ VSub_Name '$OBJ') (/host_krl_empty)}) (C {(fatal)} {(DQ ('KRL init failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-kf)} {($ VSub_Name '$OBJ') (/host_krl_plain)}) (C {(fatal)} {(DQ ('KRL init failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-kf)} {($ VSub_Name '$OBJ') (/host_krl_cert)}) (C {(fatal)} {(DQ ('KRL init failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-kf)} {($ VSub_Name '$OBJ') (/host_krl_ca)} {($ VSub_Name '$OBJ') (/host_ca_key.pub)} {($ VSub_Name '$OBJ') (/host_ca_key2.pub)} ) (C {(fatal)} {(DQ ('KRL init failed'))}) ] op_id: Op_DPipe ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:serial) op:Equal rhs:{(1)} spids:[553])] spids: [553] ) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': sign host ') (${ VSub_Name ktype) (' cert'))}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(${ VSub_Name ktype)} {(-f)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(fatal)} {(DQ ('ssh-keygen of cert_host_key_') (${ VSub_Name ktype) (' failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-ukf)} {($ VSub_Name '$OBJ') (/host_krl_plain)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (.pub)} ) (C {(fatal)} {(DQ ('KRL update failed'))}) ] op_id: Op_DPipe ) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (.pub)}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/host_revoked_plain)} spids: [663] ) ] ) (Case to_match: {($ VSub_Name '$ktype')} arms: [ (case_arm pat_list: [{(rsa-sha2-) (Lit_Other '*')}] action: [ (Sentence child: (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ ('-t ') ($ VSub_Name '$ktype'))} spids: [680] ) ] spids: [680] ) terminator: <Op_Semi ';'> ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ca) op: Equal rhs: {(DQ ($ VSub_Name '$OBJ') (/host_ca_key2))} spids: [687] ) ] spids: [687] ) ] spids: [676 678 693 -1] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (Sentence child: (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ )} spids: [699] ) ] spids: [699] ) terminator: <Op_Semi ';'> ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ca) op: Equal rhs: {(DQ ($ VSub_Name '$OBJ') (/host_ca_key))} spids: [704] ) ] spids: [704] ) ] spids: [696 697 710 -1] ) ] spids: [669 673 713] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-h)} {(-q)} {(-s)} {($ VSub_Name '$ca')} {(-z)} {($ VSub_Name '$serial')} {($ VSub_Name '$tflag')} {(-I)} {(DQ ('regress host key for ') ($ VSub_Name '$USER'))} {(-n)} {($ VSub_Name '$HOSTS')} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(fatal)} {(DQ ("couldn't sign cert_host_key_") (${ VSub_Name ktype))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-ukf)} {($ VSub_Name '$OBJ') (/host_krl_cert)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (-cert.pub)} ) (C {(fatal)} {(DQ ('KRL update failed'))}) ] op_id: Op_DPipe ) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (-cert.pub)}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/host_revoked_cert)} spids: [806] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:serial) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [(C {(expr)} {($ VSub_Name '$serial')} {(Lit_Other '+')} {(1)})] ) left_token: <Left_Backtick '`'> spids: [813 821] ) } spids: [812] ) ] spids: [812] ) ] spids: [566 823] ) spids: [561 564] ) (FuncDef name: attempt_connect body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_ident) op: Equal rhs: {(DQ ($ VSub_Number '$1'))} spids: [833] ) ] spids: [833] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_expect_success) op: Equal rhs: {(DQ ($ VSub_Number '$2'))} spids: [839] ) ] spids: [839] ) (Sentence child:(C {(shift)}) terminator:<Op_Semi ';'>) (C {(shift)}) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') ($ VSub_Name '$_ident') (' expect success ') ($ VSub_Name '$_expect_success') ) } ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)} ) (C {(${ VSub_Name SSH)} {(-2)} {(-oUserKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(-oGlobalKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(DQ ($ VSub_At '$@'))} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_r) op: Equal rhs: {($ VSub_QMark '$?')} spids: [905] ) ] spids: [905] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(DQ (x) ($ VSub_Name '$_expect_success'))} {(Lit_Other '=')} {(DQ (xyes))} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$_r')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh cert connect ') ($ VSub_Name '$_ident') (' failed'))}) ] spids: [-1 944] ) ] spids: [-1 956] ) ] spids: [-1 928] ) ] else_action: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$_r')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} { (DQ ('ssh cert connect ') ($ VSub_Name '$_ident') (' succeeded unexpectedly') ) } ) ] spids: [-1 975] ) ] spids: [-1 987] ) ] spids: [959 990] ) ] spids: [830] ) spids: [826 829] ) (ForEach iter_name: privsep iter_words: [{(yes)} {(no)}] do_arg_iter: False body: (DoGroup children: [ (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': host ') (${ VSub_Name ktype) (' cert connect privsep ') ($ VSub_Name '$privsep') ) } ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(HostKey)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(echo)} {(HostCertificate)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (-cert.pub)} ) (C {(echo)} {(UsePrivilegeSeparation)} {($ VSub_Name '$privsep')}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1080] ) ] spids: [1039 1078] ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' basic connect'))} {(DQ (yes))}) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' empty KRL'))} {(DQ (yes))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_krl_empty)} ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' KRL w/ plain key revoked'))} {(DQ (no))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_krl_plain)} ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' KRL w/ cert revoked'))} {(DQ (no))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_krl_cert)} ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' KRL w/ CA revoked'))} {(DQ (no))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_krl_ca)} ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' empty plaintext revocation'))} {(DQ (yes))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_revoked_empty)} ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' plain key plaintext revocation'))} {(DQ (no))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_revoked_plain)} ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' cert plaintext revocation'))} {(DQ (no))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_revoked_cert)} ) (C {(attempt_connect)} {(DQ ($ VSub_Name '$ktype') (' CA plaintext revocation'))} {(DQ (no))} {(-oRevokedHostKeys) (Lit_Other '=') ($ VSub_Name '$OBJ') (/host_revoked_ca)} ) ] spids: [1023 1255] ) spids: [1018 1021] ) ] spids: [1010 1257] ) spids: [1003 1008] ) (SimpleCommand words: [{(kh_ca)} {(host_ca_key.pub)} {(host_ca_key2.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} spids: [1269] ) ] ) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (AndOr children: [ (C {(test)} {(-f)} {(DQ ($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (.pub))} ) (C {(fatal)} {(DQ ('no pubkey'))}) ] op_id: Op_DPipe ) (SimpleCommand words: [{(kh_revoke)} {(cert_host_key_) (${ VSub_Name ktype) (.pub)}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} spids: [1317] ) ] ) ] spids: [1284 1322] ) spids: [1279 1282] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)}) (ForEach iter_name: privsep iter_words: [{(yes)} {(no)}] do_arg_iter: False body: (DoGroup children: [ (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': host ') (${ VSub_Name ktype) (' revoked cert privsep ') ($ VSub_Name '$privsep') ) } ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(HostKey)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(echo)} {(HostCertificate)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (-cert.pub)} ) (C {(echo)} {(UsePrivilegeSeparation)} {($ VSub_Name '$privsep')}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1414] ) ] spids: [1373 1412] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2)} {(-oUserKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert) } {(-oGlobalKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert) } {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1459] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1462] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 1479] ) ] spids: [-1 1489] ) ] spids: [1357 1492] ) spids: [1352 1355] ) ] spids: [1344 1494] ) spids: [1337 1342] ) (SimpleCommand words: [{(kh_ca)} {(host_ca_key.pub)} {(host_ca_key2.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} spids: [1506] ) ] ) (SimpleCommand words: [{(kh_revoke)} {(host_ca_key.pub)} {(host_ca_key2.pub)}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} spids: [1517] ) ] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)}) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': host ') (${ VSub_Name ktype) (' revoked cert'))} ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(HostKey)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(echo)} {(HostCertificate)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (-cert.pub)} ) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1589] ) ] spids: [1555 1587] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2)} {(-oUserKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(-oGlobalKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[1633]) (Redir op_id:Redir_GreatAnd fd:2 arg_word:{(1)} spids:[1636]) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 1653] ) ] spids: [-1 1663] ) ] spids: [1540 1665] ) spids: [1535 1538] ) (SimpleCommand words: [{(kh_ca)} {(host_ca_key.pub)} {(host_ca_key2.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} spids: [1677] ) ] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)}) (FuncDef name: test_one body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ident) op: Equal rhs: {($ VSub_Number '$1')} spids: [1698] ) ] spids: [1698] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:result) op: Equal rhs: {($ VSub_Number '$2')} spids: [1702] ) ] spids: [1702] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:sign_opts) op: Equal rhs: {($ VSub_Number '$3')} spids: [1706] ) ] spids: [1706] ) (ForEach iter_name: kt iter_words: [{(rsa)} {(ed25519)}] do_arg_iter: False body: (DoGroup children: [ (Case to_match: {($ VSub_Name '$ktype')} arms: [ (case_arm pat_list: [{(rsa-sha2-) (Lit_Other '*')}] action: [ (Sentence child: (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ ('-t ') ($ VSub_Name '$ktype'))} spids: [1737] ) ] spids: [1737] ) terminator: <Op_Semi ';'> ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ca) op: Equal rhs: {(DQ ($ VSub_Name '$OBJ') (/host_ca_key2))} spids: [1744] ) ] spids: [1744] ) ] spids: [1733 1735 1750 -1] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (Sentence child: (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ )} spids: [1756] ) ] spids: [1756] ) terminator: <Op_Semi ';'> ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ca) op: Equal rhs: {(DQ ($ VSub_Name '$OBJ') (/host_ca_key))} spids: [1761] ) ] spids: [1761] ) ] spids: [1753 1754 1767 -1] ) ] spids: [1726 1730 1770] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$ca')} {($ VSub_Name '$tflag')} {(-I)} {(DQ ('regress host key for ') ($ VSub_Name '$USER'))} {($ VSub_Name '$sign_opts')} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt)} ) (C {(fatal)} {(DQ ("couldn't sign cert_host_key_") (${ VSub_Name kt))}) ] op_id: Op_DPipe ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(HostKey)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt)} ) (C {(echo)} {(HostCertificate)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt) (-cert.pub)} ) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1849] ) ] spids: [1815 1847] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2)} {(-oUserKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert) } {(-oGlobalKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert) } {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1894] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1897] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark '$?')} spids: [1901] ) ] spids: [1901] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(DQ (x) ($ VSub_Name '$result'))} {(Lit_Other '=')} {(DQ (xsuccess))} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$rc')} {(-ne)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} { (DQ ('ssh cert connect ') ($ VSub_Name '$ident') (' failed unexpectedly') ) } ) ] spids: [-1 1940] ) ] spids: [-1 1952] ) ] spids: [-1 1924] ) ] else_action: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$rc')} {(-eq)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} { (DQ ('ssh cert connect ') ($ VSub_Name '$ident') (' succeeded unexpectedly') ) } ) ] spids: [-1 1971] ) ] spids: [-1 1983] ) ] spids: [1955 1986] ) ] spids: [1723 1989] ) spids: [1716 1721] ) ] spids: [1695] ) spids: [1691 1694] ) (C {(test_one)} {(DQ (user-certificate))} {(failure)} {(DQ ('-n ') ($ VSub_Name '$HOSTS'))}) (C {(test_one)} {(DQ ('empty principals'))} {(success)} {(DQ (-h))}) (C {(test_one)} {(DQ ('wrong principals'))} {(failure)} {(DQ ('-h -n foo'))}) (C {(test_one)} {(DQ ('cert not yet valid'))} {(failure)} {(DQ ('-h -V20200101:20300101'))}) (C {(test_one)} {(DQ ('cert expired'))} {(failure)} {(DQ ('-h -V19800101:19900101'))}) (C {(test_one)} {(DQ ('cert valid interval'))} {(success)} {(DQ ('-h -V-1w:+2w'))}) (C {(test_one)} {(DQ ('cert has constraints'))} {(failure)} {(DQ ('-h -Oforce-command=false'))}) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/known_hosts-cert)} {($ VSub_Name '$OBJ') (/cert_host_key) (Lit_Other '*')} ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': host ') (${ VSub_Name ktype) (' ') (${ VSub_Name v) (' cert downgrade to raw key') ) } ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(${ VSub_Name ktype)} {(-f)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(fail)} {(DQ ('ssh-keygen of cert_host_key_') (${ VSub_Name ktype) (' failed'))}) ] op_id: Op_DPipe ) (Case to_match: {($ VSub_Name '$ktype')} arms: [ (case_arm pat_list: [{(rsa-sha2-) (Lit_Other '*')}] action: [ (Sentence child: (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ ('-t ') ($ VSub_Name '$ktype'))} spids: [2179] ) ] spids: [2179] ) terminator: <Op_Semi ';'> ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ca) op: Equal rhs: {(DQ ($ VSub_Name '$OBJ') (/host_ca_key2))} spids: [2186] ) ] spids: [2186] ) ] spids: [2175 2177 2192 -1] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (Sentence child: (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ )} spids: [2198] ) ] spids: [2198] ) terminator: <Op_Semi ';'> ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ca) op: Equal rhs: {(DQ ($ VSub_Name '$OBJ') (/host_ca_key))} spids: [2203] ) ] spids: [2203] ) ] spids: [2195 2196 2209 -1] ) ] spids: [2168 2172 2212] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-h)} {(-q)} {($ VSub_Name '$tflag')} {(-s)} {($ VSub_Name '$ca')} {($ VSub_Name '$tflag')} {(-I)} {(DQ ('regress host key for ') ($ VSub_Name '$USER'))} {(-n)} {($ VSub_Name '$HOSTS')} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(fatal)} {(DQ ("couldn't sign cert_host_key_") (${ VSub_Name ktype))}) ] op_id: Op_DPipe ) (Subshell child: (CommandList children: [ (C {(printf)} {(DQ ($ VSub_Name '$HOSTS') (' '))}) (C {(cat)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (.pub)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert)} spids: [2288] ) ] spids: [2265 2286] ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(HostKey)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype)} ) (C {(echo)} {(HostCertificate)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name ktype) (-cert.pub)} ) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2328] ) ] spids: [2294 2326] ) (C {(${ VSub_Name SSH)} {(-2)} {(-oUserKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(-oGlobalKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 2378] ) ] spids: [-1 2388] ) ] spids: [2093 2390] ) spids: [2088 2091] ) (SimpleCommand words: [{(kh_ca)} {(host_ca_key.pub)} {(host_ca_key2.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} spids: [2402] ) ] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)}) (ForEach iter_name: kt iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': host ') (${ VSub_Name kt) (' connect wrong cert'))} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/cert_host_key) (Lit_Other '*')}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(${ VSub_Name kt)} {(-f)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt)} ) (C {(fail)} {(DQ ('ssh-keygen of cert_host_key_') (${ VSub_Name kt) (' failed'))}) ] op_id: Op_DPipe ) (Case to_match: {($ VSub_Name '$kt')} arms: [ (case_arm pat_list: [{(rsa-sha2-) (Lit_Other '*')}] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ ('-t ') ($ VSub_Name '$kt'))} spids: [2504] ) ] spids: [2504] ) ] spids: [2500 2502 2510 -1] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ )} spids: [2516] ) ] spids: [2516] ) ] spids: [2513 2514 2520 -1] ) ] spids: [2493 2497 2523] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {($ VSub_Name '$tflag')} {(-h)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt)} {(-I)} {(DQ ('regress host key for ') ($ VSub_Name '$USER'))} {(-n)} {($ VSub_Name '$HOSTS')} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt)} ) (C {(fatal)} {(DQ ("couldn't sign cert_host_key_") (${ VSub_Name kt))}) ] op_id: Op_DPipe ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(HostKey)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt)}) (C {(echo)} {(HostCertificate)} {($ VSub_Name '$OBJ') (/cert_host_key_) (${ VSub_Name kt) (-cert.pub)} ) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2612] ) ] spids: [2578 2610] ) (C {(cp)} {($ VSub_Name '$OBJ') (/known_hosts-cert.orig)} {($ VSub_Name '$OBJ') (/known_hosts-cert)} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2)} {(-oUserKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(-oGlobalKnownHostsFile) (Lit_Other '=') ($ VSub_Name '$OBJ') (/known_hosts-cert)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(-q)} {(somehost)} {(true)} ] redirects: [ (Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[2659]) (Redir op_id:Redir_GreatAnd fd:2 arg_word:{(1)} spids:[2662]) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh cert connect ') ($ VSub_Name '$ident') (' succeeded unexpectedly'))} ) ] spids: [-1 2679] ) ] spids: [-1 2691] ) ] spids: [2425 2693] ) spids: [2420 2423] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/known_hosts-cert) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/host_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/cert_host_key) (Lit_Other '*')} ) ] )