(CommandList children: [ (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:tid) op:Equal rhs:{(DQ ('hostkey rotate'))} spids:[7])] spids: [7] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:HOSTKEY_TYPES) op: Equal rhs: {(DQ ('ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss'))} spids: [16] ) ] spids: [16] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/hkr.) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/ssh_proxy.orig)} ) (SimpleCommand words: [{(grep)} {(-vi)} {(SQ <hostkey>)} {($ VSub_Name '$OBJ') (/sshd_proxy)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy.orig)} spids: [45] ) ] ) (SimpleCommand words: [{(echo)} {(DQ ('UpdateHostkeys=yes'))}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/ssh_proxy)} spids: [56] ) ] ) (C {(rm)} {($ VSub_Name '$OBJ') (/known_hosts)}) (C {(trace)} {(DQ ('prepare hostkeys'))}) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:nkeys) op:Equal rhs:{(0)} spids:[73])] spids: [73] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:all_algs) op:Equal rhs:{(DQ )} spids:[76])] spids: [76] ) (ForEach iter_name: k iter_words: [ { (CommandSubPart command_list: (CommandList children:[(C {(${ VSub_Name SSH)} {(-Q)} {(key-plain)})]) left_token: <Left_Backtick '`'> spids: [86 94] ) } ] do_arg_iter: False body: (DoGroup children: [ (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-qt)} {($ VSub_Name '$k')} {(-f)} {($ VSub_Name '$OBJ') (/hkr.) ($ VSub_Name '$k')} {(-N)} {(SQ )} ) (C {(fatal)} {(DQ ('ssh-keygen ') ($ VSub_Name '$k'))}) ] op_id: Op_DPipe ) (SimpleCommand words: [{(echo)} {(DQ ('Hostkey ') ($ VSub_Name '$OBJ') (/hkr.) (${ VSub_Name k))}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy.orig)} spids: [141] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:nkeys) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [(C {(expr)} {($ VSub_Name '$nkeys')} {(Lit_Other '+')} {(1)})] ) left_token: <Left_Backtick '`'> spids: [148 156] ) } spids: [147] ) ] spids: [147] ) (AndOr children: [ (C {(test)} {(DQ (x) ($ VSub_Name '$all_algs'))} {(Lit_Other '=')} {(DQ (x))}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:all_algs) op: Equal rhs: {(DQ (${ VSub_Name all_algs) (','))} spids: [174] ) ] spids: [174] ) ] op_id: Op_DPipe ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:all_algs) op: Equal rhs: {(DQ (${ VSub_Name all_algs) ($ VSub_Name '$k'))} spids: [183] ) ] spids: [183] ) ] spids: [98 191] ) spids: [85 96] ) (FuncDef name: dossh body: (BraceGroup children: [ (AndOr children: [ (C {(${ VSub_Name SSH)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(DQ ($ VSub_At '$@'))} {(x)} {(true)} ) (C {(fail)} {(DQ ('ssh ') ($ VSub_At '$@') (' failed'))}) ] op_id: Op_DPipe ) ] spids: [198] ) spids: [194 197] ) (FuncDef name: expect_nkeys body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_expected) op: Equal rhs: {($ VSub_Number '$1')} spids: [242] ) ] spids: [242] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_message) op: Equal rhs: {($ VSub_Number '$2')} spids: [246] ) ] spids: [246] ) (AndOr children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_n) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(wc)} {(-l)} {($ VSub_Name '$OBJ') (/known_hosts)}) (C {(awk)} {(SQ <'{ print $1 }'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [251 266] ) } spids: [250] ) ] spids: [250] ) (C {(fatal)} {(DQ ('wc failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(Lit_Other '[')} {(DQ (x) ($ VSub_Name '$_n'))} {(Lit_Other '=')} {(DQ (x) ($ VSub_Name '$_expected'))} {(Lit_Other ']')} ) (C {(fail)} { (DQ ($ VSub_Name '$_message') (' (got ') ($ VSub_Name '$_n') (' wanted ') ($ VSub_Name '$_expected') (')') ) } ) ] op_id: Op_DPipe ) ] spids: [239] ) spids: [235 238] ) (FuncDef name: check_key_present body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_type) op: Equal rhs: {($ VSub_Number '$1')} spids: [316] ) ] spids: [316] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_kfile) op: Equal rhs: {($ VSub_Number '$2')} spids: [320] ) ] spids: [320] ) (AndOr children: [ (C {(test)} {(DQ (x) ($ VSub_Name '$_kfile'))} {(Lit_Other '=')} {(DQ (x))}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_kfile) op: Equal rhs: {(DQ ($ VSub_Name '$OBJ') (/hkr.) (${ VSub_Name _type) (.pub))} spids: [339] ) ] spids: [339] ) ] op_id: Op_DAmp ) (AndOr children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_kpub) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (SimpleCommand words: [ {(awk)} {(DQ (/) ($ VSub_Name '$_type') (' /')) (SQ <' { print $2 }'>)} ] redirects: [ (Redir op_id: Redir_Less fd: -1 arg_word: {($ VSub_Name '$_kfile')} spids: [363] ) ] ) ] ) left_token: <Left_Backtick '`'> spids: [351 366] ) } spids: [350] ) ] spids: [350] ) (C {(fatal)} {(DQ ('awk failed'))}) ] op_id: Op_DPipe ) (SimpleCommand words: [{(fgrep)} {(DQ ($ VSub_Name '$_kpub'))} {($ VSub_Name '$OBJ') (/known_hosts)}] redirects: [(Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[388])] ) ] spids: [313] ) spids: [309 312] ) (C {(cp)} {($ VSub_Name '$OBJ') (/sshd_proxy.orig)} {($ VSub_Name '$OBJ') (/sshd_proxy)}) (C {(verbose)} {(DQ ('learn hostkey with StrictHostKeyChecking=no'))}) (SimpleCommand redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/known_hosts)} spids: [413] ) ] ) (C {(dossh)} {(-oHostKeyAlgorithms) (Lit_Other '=') (ssh-ed25519)} {(-oStrictHostKeyChecking) (Lit_Other '=') (no)} ) (C {(expect_nkeys)} {(1)} {(DQ ('unstrict connect keys'))}) (AndOr children: [ (C {(check_key_present)} {(ssh-ed25519)}) (C {(fail)} {(DQ ("unstrict didn't learn key"))}) ] op_id: Op_DPipe ) (C {(verbose)} {(DQ ('learn additional hostkeys'))}) (C {(dossh)} {(-oStrictHostKeyChecking) (Lit_Other '=') (yes)} {(-oHostKeyAlgorithms) (Lit_Other '=') ($ VSub_Name '$all_algs')} ) (C {(expect_nkeys)} {($ VSub_Name '$nkeys')} {(DQ ('learn hostkeys'))}) (AndOr children: [(C {(check_key_present)} {(ssh-rsa)}) (C {(fail)} {(DQ ("didn't learn keys"))})] op_id: Op_DPipe ) (ForEach iter_name: k iter_words: [ { (CommandSubPart command_list: (CommandList children:[(C {(${ VSub_Name SSH)} {(-Q)} {(key-plain)})]) left_token: <Left_Backtick '`'> spids: [503 511] ) } ] do_arg_iter: False body: (DoGroup children: [ (C {(verbose)} {(DQ ('learn additional hostkeys, type=') ($ VSub_Name '$k'))}) (C {(dossh)} {(-oStrictHostKeyChecking) (Lit_Other '=') (yes)} {(-oHostKeyAlgorithms) (Lit_Other '=') ($ VSub_Name '$k') (Lit_Comma ',') ($ VSub_Name '$all_algs') } ) (C {(expect_nkeys)} {($ VSub_Name '$nkeys')} {(DQ ('learn hostkeys ') ($ VSub_Name '$k'))}) (AndOr children: [ (C {(check_key_present)} {($ VSub_Name '$k')}) (C {(fail)} {(DQ ("didn't learn ") ($ VSub_Name '$k'))}) ] op_id: Op_DPipe ) ] spids: [515 562] ) spids: [502 513] ) (C {(verbose)} {(DQ ('learn changed non-primary hostkey'))}) (C {(mv)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa.pub)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa.pub.old)}) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa)}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-qt)} {(ssh-rsa)} {(-f)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa)} {(-N)} {(SQ )} ) (C {(fatal)} {(DQ ('ssh-keygen ') ($ VSub_Name '$k'))}) ] op_id: Op_DPipe ) (C {(dossh)} {(-oStrictHostKeyChecking) (Lit_Other '=') (yes)} {(-oHostKeyAlgorithms) (Lit_Other '=') ($ VSub_Name '$all_algs')} ) (C {(expect_nkeys)} {($ VSub_Name '$nkeys')} {(DQ ('learn hostkeys'))}) (AndOr children: [ (C {(check_key_present)} {(ssh-rsa)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa.pub.old)}) (C {(fail)} {(DQ ('old key present'))}) ] op_id: Op_DAmp ) (AndOr children: [(C {(check_key_present)} {(ssh-rsa)}) (C {(fail)} {(DQ ("didn't learn changed key"))})] op_id: Op_DPipe ) (C {(verbose)} {(DQ ('learn new primary hostkey'))}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-qt)} {(ssh-rsa)} {(-f)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa-new)} {(-N)} {(SQ )} ) (C {(fatal)} {(DQ ('ssh-keygen ') ($ VSub_Name '$k'))}) ] op_id: Op_DPipe ) (Subshell child: (CommandList children: [ (Sentence child: (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy.orig)}) terminator: <Op_Semi ';'> ) (C {(echo)} {(HostKey)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa-new)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [721] ) ] spids: [701 717] ) (C {(dossh)} {(-oStrictHostKeyChecking) (Lit_Other '=') (yes)} {(-oHostKeyAlgorithms) (Lit_Other '=') (ssh-rsa) (Lit_Comma ',') ($ VSub_Name '$all_algs')} ) (C {(expect_nkeys)} { (CommandSubPart command_list: (CommandList children: [(C {(expr)} {($ VSub_Name '$nkeys')} {(Lit_Other '+')} {(1)})] ) left_token: <Left_Backtick '`'> spids: [743 751] ) } {(DQ ('learn hostkeys'))} ) (AndOr children: [(C {(check_key_present)} {(ssh-rsa)}) (C {(fail)} {(DQ ('current key missing'))})] op_id: Op_DPipe ) (AndOr children: [ (C {(check_key_present)} {(ssh-rsa)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa-new.pub)}) (C {(fail)} {(DQ ('new key missing'))}) ] op_id: Op_DPipe ) (C {(verbose)} {(DQ ('rotate primary hostkey'))}) (C {(cp)} {($ VSub_Name '$OBJ') (/sshd_proxy.orig)} {($ VSub_Name '$OBJ') (/sshd_proxy)}) (C {(mv)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa.pub)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa.pub.old)}) (C {(mv)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa-new.pub)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa.pub)}) (C {(mv)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa-new)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa)}) (C {(dossh)} {(-oStrictHostKeyChecking) (Lit_Other '=') (yes)} {(-oHostKeyAlgorithms) (Lit_Other '=') (ssh-rsa) (Lit_Comma ',') ($ VSub_Name '$all_algs')} ) (C {(expect_nkeys)} {($ VSub_Name '$nkeys')} {(DQ ('learn hostkeys'))}) (AndOr children: [ (C {(check_key_present)} {(ssh-rsa)} {($ VSub_Name '$OBJ') (/hkr.ssh-rsa.pub.old)}) (C {(fail)} {(DQ ('old key present'))}) ] op_id: Op_DAmp ) (AndOr children: [(C {(check_key_present)} {(ssh-rsa)}) (C {(fail)} {(DQ ("didn't learn changed key"))})] op_id: Op_DPipe ) (C {(verbose)} {(DQ ('check rotate primary hostkey'))}) (C {(dossh)} {(-oStrictHostKeyChecking) (Lit_Other '=') (yes)} {(-oHostKeyAlgorithms) (Lit_Other '=') (ssh-rsa)} ) (C {(expect_nkeys)} {(1)} {(DQ ('learn hostkeys'))}) (AndOr children: [(C {(check_key_present)} {(ssh-rsa)}) (C {(fail)} {(DQ ("didn't learn changed key"))})] op_id: Op_DPipe ) ] )