(CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tid) op: Equal rhs: {(DQ ('certified user keys'))} spids: [7] ) ] spids: [7] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} {($ VSub_Name '$OBJ') (/user_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/cert_user_key) (Lit_Other '*')} ) (C {(cp)} {($ VSub_Name '$OBJ') (/sshd_proxy)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(cp)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {($ VSub_Name '$OBJ') (/ssh_proxy_bak)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:PLAIN_TYPES) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {($ VSub_Name '$SSH')} {(-Q)} {(key-plain)}) (C {(sed)} {(SQ <'s/^ssh-dss/ssh-dsa/;s/^ssh-//'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [47 61] ) } spids: [46] ) ] spids: [46] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(echo)} {(DQ ($ VSub_Name '$PLAIN_TYPES'))}) (SimpleCommand words: [{(grep)} {(SQ <'^rsa$'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [80] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [83] ) ] ) ] negated: False ) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:PLAIN_TYPES) op: Equal rhs: {(DQ ($ VSub_Name '$PLAIN_TYPES') (' rsa-sha2-256 rsa-sha2-512'))} spids: [91] ) ] spids: [91] ) ] spids: [-1 88] ) ] spids: [-1 97] ) (FuncDef name: kname body: (BraceGroup children: [ (Case to_match: {($ VSub_Name '$ktype')} arms: [ (case_arm pat_list: [{(rsa-sha2-) (Lit_Other '*')}] spids: [114 116 118 -1] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:n) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(echo)} {($ VSub_Number '$1')}) (C {(sed)} {(SQ <'s/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'>)} ) ] negated: False ) ] ) left_token: <Left_CommandSub '$('> spids: [129 141] ) } spids: [128] ) ] spids: [128] ) ] spids: [125 126 143 -1] ) ] spids: [107 111 146] ) (C {(echo)} {(DQ ($ VSub_Name '$n') ('*,ssh-rsa*,ssh-ed25519*'))}) ] spids: [104] ) spids: [100 103] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(rsa)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key)} ) (C {(fail)} {(DQ ('ssh-keygen of user_ca_key failed'))}) ] op_id: Op_DPipe ) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')} {($ VSub_Name '$EXTRA_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': sign user ') (${ VSub_Name ktype) (' cert'))}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(${ VSub_Name ktype)} {(-f)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} ) (C {(fatal)} {(DQ ('ssh-keygen of cert_user_key_') (${ VSub_Name ktype) (' failed'))}) ] op_id: Op_DPipe ) (Case to_match: {($ VSub_Name '$ktype')} arms: [ (case_arm pat_list: [{(rsa-sha2-) (Lit_Other '*')}] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tflag) op: Equal rhs: {(DQ ('-t ') ($ VSub_Name '$ktype'))} spids: [279] ) ] spids: [279] ) ] spids: [275 277 285 -1] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:tflag) op:Equal rhs:{(DQ )} spids:[291])] spids: [291] ) ] spids: [288 289 295 -1] ) ] spids: [268 272 298] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key)} {(-z)} {($ VSub_Dollar '$$')} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-n)} {(${ VSub_Name USER) (Lit_Comma ',') (mekmitasdigoat)} {($ VSub_Name '$tflag')} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} ) (C {(fatal)} {(DQ ("couldn't sign cert_user_key_") (${ VSub_Name ktype))}) ] op_id: Op_DPipe ) ] spids: [207 356] ) spids: [200 205] ) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$EXTRA_TYPES')} {($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:t) op: Equal rhs: { (CommandSubPart command_list: (CommandList children:[(C {(kname)} {($ VSub_Name '$ktype')})]) left_token: <Left_CommandSub '$('> spids: [378 382] ) } spids: [377] ) ] spids: [377] ) (ForEach iter_name: privsep iter_words: [{(yes)} {(no)}] do_arg_iter: False body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_prefix) op: Equal rhs: {(DQ (${ VSub_Name ktype) (' privsep ') ($ VSub_Name '$privsep'))} spids: [400] ) ] spids: [400] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')}) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('UsePrivilegeSeparation ') ($ VSub_Name '$privsep'))}) (C {(echo)} {(DQ ('AuthorizedPrincipalsFile '))} {(DQ ($ VSub_Name '$OBJ') ('/authorized_principals_%u'))} ) (C {(echo)} {(DQ ('TrustedUserCAKeys ') ($ VSub_Name '$OBJ') (/user_ca_key.pub))} ) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [476] ) ] spids: [424 474] ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/ssh_proxy_bak)}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/ssh_proxy)} spids: [503] ) ] spids: [482 501] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' missing authorized_principals') ) } ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [558] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [561] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 578] ) ] spids: [-1 588] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' empty authorized_principals') ) } ) (SimpleCommand words: [{(echo)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [610] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [640] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [643] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 660] ) ] spids: [-1 670] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' wrong authorized_principals') ) } ) (SimpleCommand words: [{(echo)} {(gregorsamsa)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [694] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [724] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [727] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 744] ) ] spids: [-1 754] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' correct authorized_principals') ) } ) (SimpleCommand words: [{(echo)} {(mekmitasdigoat)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [778] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [808] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [811] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 828] ) ] spids: [-1 838] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' authorized_principals bad key opt') ) } ) (SimpleCommand words: [{(echo)} {(SQ <'blah mekmitasdigoat'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [864] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [894] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [897] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 914] ) ] spids: [-1 924] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' authorized_principals command=false') ) } ) (SimpleCommand words: [{(echo)} {(SQ <'command="false" mekmitasdigoat'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [950] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [982] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [985] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 1002] ) ] spids: [-1 1012] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' authorized_principals command=true') ) } ) (SimpleCommand words: [{(echo)} {(SQ <'command="true" mekmitasdigoat'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [1039] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(false)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1071] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1074] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 1091] ) ] spids: [-1 1101] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('UsePrivilegeSeparation ') ($ VSub_Name '$privsep'))}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1147] ) ] spids: [1118 1145] ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/ssh_proxy_bak)}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/ssh_proxy)} spids: [1174] ) ] spids: [1153 1172] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' wrong principals key option') ) } ) (Subshell child: (CommandList children: [ (C {(printf)} {(SQ <'cert-authority,principals="gregorsamsa" '>)}) (C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [1215] ) ] spids: [1197 1213] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1245] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1248] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 1265] ) ] spids: [-1 1275] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' correct principals key option') ) } ) (Subshell child: (CommandList children: [ (C {(printf)} {(SQ <'cert-authority,principals="mekmitasdigoat" '>)}) (C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [1313] ) ] spids: [1295 1311] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1343] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1346] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 1363] ) ] spids: [-1 1373] ) ] spids: [397 1376] ) spids: [390 395] ) ] spids: [374 1378] ) spids: [367 372] ) (FuncDef name: basic_tests body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:auth) op: Equal rhs: {($ VSub_Number '$1')} spids: [1388] ) ] spids: [1388] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(test)} {(DQ (x) ($ VSub_Name '$auth'))} {(Lit_Other '=')} {(DQ (xauthorized_keys))} ) terminator: <Op_Semi ';'> ) ] action: [ (Subshell child: (CommandList children: [ (C {(printf)} {(SQ <'cert-authority '>)}) (C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [1434] ) ] spids: [1416 1432] ) ] spids: [-1 1409] ) ] else_action: [ (SimpleCommand words: [{(echo)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [1446] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:extra_sshd) op: Equal rhs: {(DQ ('TrustedUserCAKeys ') ($ VSub_Name '$OBJ') (/user_ca_key.pub))} spids: [1453] ) ] spids: [1453] ) ] spids: [1441 1461] ) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:t) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [(C {(kname)} {($ VSub_Name '$ktype')})] ) left_token: <Left_CommandSub '$('> spids: [1479 1483] ) } spids: [1478] ) ] spids: [1478] ) (ForEach iter_name: privsep iter_words: [{(yes)} {(no)}] do_arg_iter: False body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_prefix) op: Equal rhs: { (DQ (${ VSub_Name ktype) (' privsep ') ($ VSub_Name '$privsep') (' ') ($ VSub_Name '$auth') ) } spids: [1501] ) ] spids: [1501] ) (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' connect'))} ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('UsePrivilegeSeparation ') ($ VSub_Name '$privsep'))} ) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) (C {(echo)} {(DQ ($ VSub_Name '$extra_sshd'))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1565] ) ] spids: [1529 1563] ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/ssh_proxy_bak)}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/ssh_proxy)} spids: [1592] ) ] spids: [1571 1590] ) (C {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 1636] ) ] spids: [-1 1646] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' revoked key')) } ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('UsePrivilegeSeparation ') ($ VSub_Name '$privsep'))} ) (C {(echo)} { (DQ ('RevokedKeys ') ($ VSub_Name '$OBJ') (/cert_user_key_revoked) ) } ) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) (C {(echo)} {(DQ ($ VSub_Name '$extra_sshd'))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1711] ) ] spids: [1666 1709] ) (C {(cp)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype) (.pub)} {($ VSub_Name '$OBJ') (/cert_user_key_revoked)} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1755] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1758] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh cert connect succeeded unexpecedly'))}) ] spids: [-1 1775] ) ] spids: [-1 1785] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' revoked via KRL') ) } ) (C {(rm)} {($ VSub_Name '$OBJ') (/cert_user_key_revoked)}) (C {(${ VSub_Name SSHKEYGEN)} {(-kqf)} {($ VSub_Name '$OBJ') (/cert_user_key_revoked)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype) (.pub)} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1848] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1851] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh cert connect succeeded unexpecedly'))}) ] spids: [-1 1868] ) ] spids: [-1 1878] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' empty KRL')) } ) (C {(${ VSub_Name SSHKEYGEN)} {(-kqf)} {($ VSub_Name '$OBJ') (/cert_user_key_revoked)} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1926] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1929] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 1946] ) ] spids: [-1 1956] ) ] spids: [1498 1959] ) spids: [1491 1496] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name ktype) (' ') ($ VSub_Name '$auth') (' revoked CA key') ) } ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('RevokedKeys ') ($ VSub_Name '$OBJ') (/user_ca_key.pub))}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) (C {(echo)} {(DQ ($ VSub_Name '$extra_sshd'))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2018] ) ] spids: [1981 2016] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [2047] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [2050] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpecedly'))})] spids: [-1 2067] ) ] spids: [-1 2077] ) ] spids: [1475 2080] ) spids: [1470 1473] ) (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': ') ($ VSub_Name '$auth') (' CA does not authenticate'))} ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t))}) (C {(echo)} {(DQ ($ VSub_Name '$extra_sshd'))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2122] ) ] spids: [2094 2120] ) (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': ensure CA key does not authenticate user'))}) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/user_ca_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[2156]) (Redir op_id:Redir_GreatAnd fd:2 arg_word:{(1)} spids:[2159]) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect with CA key succeeded unexpectedly'))})] spids: [-1 2176] ) ] spids: [-1 2186] ) ] spids: [1385] ) spids: [1381 1384] ) (C {(basic_tests)} {(authorized_keys)}) (C {(basic_tests)} {(TrustedUserCAKeys)}) (FuncDef name: test_one body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ident) op: Equal rhs: {($ VSub_Number '$1')} spids: [2207] ) ] spids: [2207] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:result) op: Equal rhs: {($ VSub_Number '$2')} spids: [2211] ) ] spids: [2211] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:sign_opts) op: Equal rhs: {($ VSub_Number '$3')} spids: [2215] ) ] spids: [2215] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:auth_choice) op: Equal rhs: {($ VSub_Number '$4')} spids: [2219] ) ] spids: [2219] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:auth_opt) op: Equal rhs: {($ VSub_Number '$5')} spids: [2223] ) ] spids: [2223] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(test)} {(DQ (x) ($ VSub_Name '$auth_choice'))} {(Lit_Other '=')} {(DQ (x))}) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:auth_choice) op: Equal rhs: {(DQ ('authorized_keys TrustedUserCAKeys'))} spids: [2248] ) ] spids: [2248] ) ] spids: [-1 2245] ) ] spids: [-1 2254] ) (ForEach iter_name: auth iter_words: [{($ VSub_Name '$auth_choice')}] do_arg_iter: False body: (DoGroup children: [ (ForEach iter_name: ktype iter_words: [{(rsa)} {(ed25519)}] do_arg_iter: False body: (DoGroup children: [ (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2291] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(test)} {(DQ (x) ($ VSub_Name '$auth'))} {(Lit_Other '=')} {(DQ (xauthorized_keys))} ) terminator: <Op_Semi ';'> ) ] action: [ (Subshell child: (CommandList children: [ (C {(printf)} {(DQ (cert-authority) (${ VSub_Name auth_opt) (' '))} ) (C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER') } spids: [2343] ) ] spids: [2321 2341] ) ] spids: [-1 2314] ) ] else_action: [ (SimpleCommand words: [{(echo)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER') } spids: [2355] ) ] ) (SimpleCommand words: [ {(echo)} { (DQ ('TrustedUserCAKeys ') ($ VSub_Name '$OBJ') (/user_ca_key.pub) ) } ] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2372] ) ] ) (SimpleCommand words: [ {(echo)} {(DQ ('PubkeyAcceptedKeyTypes ') (${ VSub_Name t) ('*'))} ] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2390] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(test)} {(DQ (x) ($ VSub_Name '$auth_opt'))} {(KW_Bang '!') (Lit_Other '=')} {(DQ (x))} ) terminator: <Op_Semi ';'> ) ] action: [ (SimpleCommand words: [{(echo)} {($ VSub_Name '$auth_opt')}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [2421] ) ] ) ] spids: [-1 2414] ) ] spids: [-1 2427] ) ] spids: [2350 2430] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') ($ VSub_Name '$ident') (' auth ') ($ VSub_Name '$auth') (' expect ') ($ VSub_Name '$result') (' ') ($ VSub_Name '$ktype') ) } ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {($ VSub_Name '$sign_opts')} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} ) (C {(fail)} {(DQ ("couldn't sign cert_user_key_") (${ VSub_Name ktype))}) ] op_id: Op_DPipe ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [2516] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [2519] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark '$?')} spids: [2523] ) ] spids: [2523] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(DQ (x) ($ VSub_Name '$result'))} {(Lit_Other '=')} {(DQ (xsuccess))} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$rc')} {(-ne)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ($ VSub_Name '$ident') (' failed unexpectedly'))} ) ] spids: [-1 2562] ) ] spids: [-1 2573] ) ] spids: [-1 2546] ) ] else_action: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_Name '$rc')} {(-eq)} {(0)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ($ VSub_Name '$ident') (' succeeded unexpectedly'))} ) ] spids: [-1 2592] ) ] spids: [-1 2603] ) ] spids: [2576 2606] ) ] spids: [2283 2609] ) spids: [2276 2281] ) ] spids: [2268 2612] ) spids: [2263 2266] ) ] spids: [2204] ) spids: [2200 2203] ) (C {(test_one)} {(DQ ('correct principal'))} {(success)} {(DQ ('-n ') (${ VSub_Name USER))}) (C {(test_one)} {(DQ (host-certificate))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -h'))}) (C {(test_one)} {(DQ ('wrong principals'))} {(failure)} {(DQ ('-n foo'))}) (C {(test_one)} {(DQ ('cert not yet valid'))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -V20200101:20300101'))} ) (C {(test_one)} {(DQ ('cert expired'))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -V19800101:19900101'))} ) (C {(test_one)} {(DQ ('cert valid interval'))} {(success)} {(DQ ('-n ') (${ VSub_Name USER) (' -V-1w:+2w'))} ) (C {(test_one)} {(DQ ('wrong source-address'))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -Osource-address=10.0.0.0/8'))} ) (C {(test_one)} {(DQ (force-command))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -Oforce-command=false'))} ) (C {(test_one)} {(DQ ('empty principals'))} {(success)} {(DQ )} {(authorized_keys)}) (C {(test_one)} {(DQ ('empty principals'))} {(failure)} {(DQ )} {(TrustedUserCAKeys)}) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')}) (SimpleCommand words: [{(echo)} {(mekmitasdigoat)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [2793] ) ] ) (C {(test_one)} {(DQ ('AuthorizedPrincipalsFile principals'))} {(success)} {(DQ ('-n mekmitasdigoat'))} {(TrustedUserCAKeys)} {(DQ ('AuthorizedPrincipalsFile ') ($ VSub_Name '$OBJ') ('/authorized_principals_%u'))} ) (C {(test_one)} {(DQ ('AuthorizedPrincipalsFile no principals'))} {(failure)} {(DQ )} {(TrustedUserCAKeys)} {(DQ ('AuthorizedPrincipalsFile ') ($ VSub_Name '$OBJ') ('/authorized_principals_%u'))} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')}) (C {(test_one)} {(DQ ('principals key option principals'))} {(success)} {(DQ ('-n mekmitasdigoat'))} {(authorized_keys)} {(SQ <',principals="mekmitasdigoat"'>)} ) (C {(test_one)} {(DQ ('principals key option no principals'))} {(failure)} {(DQ )} {(authorized_keys)} {(SQ <',principals="mekmitasdigoat"'>)} ) (C {(test_one)} {(DQ ('force-command match true'))} {(success)} {(DQ ('-n ') (${ VSub_Name USER) (' -Oforce-command=true'))} {(authorized_keys)} {(SQ <',command="true"'>)} ) (C {(test_one)} {(DQ ('force-command match true'))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -Oforce-command=false'))} {(authorized_keys)} {(SQ <',command="false"'>)} ) (C {(test_one)} {(DQ ('force-command mismatch 1'))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -Oforce-command=false'))} {(authorized_keys)} {(SQ <',command="true"'>)} ) (C {(test_one)} {(DQ ('force-command mismatch 2'))} {(failure)} {(DQ ('-n ') (${ VSub_Name USER) (' -Oforce-command=true'))} {(authorized_keys)} {(SQ <',command="false"'>)} ) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [3010] ) ] ) (ForEach iter_name: ktype iter_words: [{($ VSub_Name '$PLAIN_TYPES')}] do_arg_iter: False body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:t) op: Equal rhs: { (CommandSubPart command_list: (CommandList children:[(C {(kname)} {($ VSub_Name '$ktype')})]) left_token: <Left_CommandSub '$('> spids: [3029 3033] ) } spids: [3028] ) ] spids: [3028] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-n)} {($ VSub_Name '$USER')} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} ) (C {(fatal)} {(DQ ("couldn't sign cert_user_key_") (${ VSub_Name ktype))}) ] op_id: Op_DPipe ) (C {(verbose)} {(DQ ($ VSub_Name '$tid') (': user ') (${ VSub_Name ktype) (' connect wrong cert'))} ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key_) (${ VSub_Name ktype)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[3123]) (Redir op_id:Redir_GreatAnd fd:2 arg_word:{(1)} spids:[3126]) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [ (C {(fail)} {(DQ ('ssh cert connect ') ($ VSub_Name '$ident') (' succeeded unexpectedly'))} ) ] spids: [-1 3143] ) ] spids: [-1 3155] ) ] spids: [3025 3157] ) spids: [3020 3023] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} {($ VSub_Name '$OBJ') (/user_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/cert_user_key) (Lit_Other '*')} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')}) ] )