(CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tid) op: Equal rhs: {(DQ ('authorized keys from command'))} spids: [7] ) ] spids: [7] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(-z)} {(DQ ($ VSub_Name '$SUDO'))} {(-a)} {(KW_Bang '!')} {(-w)} {(/var/run)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(echo)} {(DQ ('skipped (SUDO not set)'))}) (C {(echo)} {(DQ ("need SUDO to create file in /var/run, test won't work without"))}) (C {(exit)} {(0)}) ] spids: [-1 34] ) ] spids: [-1 55] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/keys-command-args)}) (C {(touch)} {($ VSub_Name '$OBJ') (/keys-command-args)}) (C {(chmod)} {(a) (Lit_Other '+') (rw)} {($ VSub_Name '$OBJ') (/keys-command-args)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:expected_key_text) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (SimpleCommand words: [{(awk)} {(SQ <'{ print $2 }'>)}] redirects: [ (Redir op_id: Redir_Less fd: -1 arg_word: {($ VSub_Name '$OBJ') (/rsa.pub)} spids: [89] ) ] ) ] ) left_token: <Left_Backtick '`'> spids: [82 93] ) } spids: [81] ) ] spids: [81] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:expected_key_fp) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {($ VSub_Name '$SSHKEYGEN')} {(-lf)} {($ VSub_Name '$OBJ') (/rsa.pub)}) (C {(awk)} {(SQ <'{ print $2 }'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [96 111] ) } spids: [95] ) ] spids: [95] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:KEY_COMMAND) op: Equal rhs: {(DQ (/var/run/keycommand_) (${ VSub_Name LOGNAME))} spids: [120] ) ] spids: [120] ) (Pipeline children: [ (SimpleCommand words: [{(cat)}] redirects: [ (HereDoc op_id: Redir_DLess fd: -1 body: { (DQ ('#!/bin/sh\n') ('echo args: ') (Right_DoubleQuote '"') (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) ('@') (Right_DoubleQuote '"') (' >> ') ($ VSub_Name '$OBJ') ('/keys-command-args\n') ('echo ') (Right_DoubleQuote '"') ($ VSub_Name '$PATH') (Right_DoubleQuote '"') (' | grep -q mekmitasdigoat && exit 7\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (1) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name LOGNAME) (Right_DoubleQuote '"') (' && exit 1\n') ('if test ') ($ VSub_Pound '$#') (' -eq 6 ; then\n') ('\ttest ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (2) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (xblah) (Right_DoubleQuote '"') (' && exit 2\n') ('\ttest ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (3) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name expected_key_text) (Right_DoubleQuote '"') (' && exit 3\n') ('\ttest ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (4) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (xssh-rsa) (Right_DoubleQuote '"') (' && exit 4\n') ('\ttest ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (5) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name expected_key_fp) (Right_DoubleQuote '"') (' && exit 5\n') ('\ttest ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (6) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (xblah) (Right_DoubleQuote '"') (' && exit 6\n') ('fi\n') ('exec cat ') (Right_DoubleQuote '"') ($ VSub_Name '$OBJ') (/authorized_keys_) (${ VSub_Name LOGNAME) (Right_DoubleQuote '"') ('\n') ) } do_expansion: True here_end: _EOF was_filled: True spids: [130] ) ] ) (C {($ VSub_Name '$SUDO')} {(sh)} {(-c)} { (DQ ("rm -f '") ($ VSub_Name '$KEY_COMMAND') ("' ; cat > '") ($ VSub_Name '$KEY_COMMAND') ("'") ) } ) ] negated: False ) (C {($ VSub_Name '$SUDO')} {(chmod)} {(0755)} {(DQ ($ VSub_Name '$KEY_COMMAND'))}) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {($ VSub_Name '$OBJ') (/check-perm)} {(-m)} {(keys-command)} {($ VSub_Name '$KEY_COMMAND')} ) ] negated: True ) terminator: <Op_Semi ';'> ) ] action: [ (C {(echo)} { (DQ ('skipping: ') ($ VSub_Name '$KEY_COMMAND') (' is unsuitable as AuthorizedKeysCommand') ) } ) (C {($ VSub_Name '$SUDO')} {(rm)} {(-f)} {($ VSub_Name '$KEY_COMMAND')}) (C {(exit)} {(0)}) ] spids: [-1 279] ) ] spids: [-1 304] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(-x)} {($ VSub_Name '$KEY_COMMAND')} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [ (C {(cp)} {($ VSub_Name '$OBJ') (/sshd_proxy)} {($ VSub_Name '$OBJ') (/sshd_proxy.bak)}) (C {(verbose)} {(DQ ('AuthorizedKeysCommand with arguments'))}) (Subshell child: (CommandList children: [ (C {(grep)} {(-vi)} {(AuthorizedKeysFile)} {($ VSub_Name '$OBJ') (/sshd_proxy.bak)}) (C {(echo)} {(AuthorizedKeysFile)} {(none)}) (C {(echo)} {(AuthorizedKeysCommand)} {($ VSub_Name '$KEY_COMMAND')} {(Lit_Other '%') (u)} {(blah)} {(Lit_Other '%') (k)} {(Lit_Other '%') (t)} {(Lit_Other '%') (f)} {(blah)} ) (C {(echo)} {(AuthorizedKeysCommandUser)} {(${ VSub_Name LOGNAME)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [392] ) ] spids: [338 390] ) (C {(env)} {(Lit_VarLike 'PATH=') ($ VSub_Name '$PATH') (Lit_Other ':') (/sbin/mekmitasdigoat)} {(${ VSub_Name SSH)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('connect failed'))})] spids: [-1 439] ) ] spids: [-1 449] ) (C {(verbose)} {(DQ ('AuthorizedKeysCommand without arguments'))}) (Subshell child: (CommandList children: [ (C {(grep)} {(-vi)} {(AuthorizedKeysFile)} {($ VSub_Name '$OBJ') (/sshd_proxy.bak)}) (C {(echo)} {(AuthorizedKeysFile)} {(none)}) (C {(echo)} {(AuthorizedKeysCommand)} {($ VSub_Name '$KEY_COMMAND')}) (C {(echo)} {(AuthorizedKeysCommandUser)} {(${ VSub_Name LOGNAME)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [502] ) ] spids: [464 500] ) (C {(env)} {(Lit_VarLike 'PATH=') ($ VSub_Name '$PATH') (Lit_Other ':') (/sbin/mekmitasdigoat)} {(${ VSub_Name SSH)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('connect failed'))})] spids: [-1 549] ) ] spids: [-1 559] ) ] spids: [-1 318] ) ] else_action: [ (C {(echo)} { (DQ ('SKIPPED: ') ($ VSub_Name '$KEY_COMMAND') (' not executable (/var/run mounted noexec?)') ) } ) ] spids: [561 572] ) (C {($ VSub_Name '$SUDO')} {(rm)} {(-f)} {($ VSub_Name '$KEY_COMMAND')}) ] )