(CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tid) op: Equal rhs: {(DQ ('restrict pubkey type'))} spids: [7] ) ] spids: [7] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} {($ VSub_Name '$OBJ') (/user_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/user_key) (Lit_Other '*')} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} {($ VSub_Name '$OBJ') (/cert_user_key) (Lit_Other '*')} ) (C {(mv)} {($ VSub_Name '$OBJ') (/sshd_proxy)} {($ VSub_Name '$OBJ') (/sshd_proxy.orig)}) (C {(mv)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {($ VSub_Name '$OBJ') (/ssh_proxy.orig)}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key1)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(rsa)} {(-f)} {($ VSub_Name '$OBJ') (/user_key2)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(rsa)} {(-f)} {($ VSub_Name '$OBJ') (/user_key3)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(dsa)} {(-f)} {($ VSub_Name '$OBJ') (/user_key4)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-z)} {($ VSub_Dollar '$$')} {(-n)} {(${ VSub_Name USER) (Lit_Comma ',') (mekmitasdigoat)} {($ VSub_Name '$OBJ') (/user_key3)} ) (C {(fatal)} {(DQ ("couldn't sign user_key1"))}) ] op_id: Op_DPipe ) (C {(mv)} {($ VSub_Name '$OBJ') (/user_key3-cert.pub)} {($ VSub_Name '$OBJ') (/cert_user_key3.pub)}) (SimpleCommand words: [{(grep)} {(-v)} {(IdentityFile)} {($ VSub_Name '$OBJ') (/ssh_proxy.orig)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/ssh_proxy)} spids: [283] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts) op: Equal rhs: {(DQ ('-oProtocol=2 -F ') ($ VSub_Name '$OBJ') ('/ssh_proxy -oIdentitiesOnly=yes'))} spids: [289] ) ] spids: [289] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:certopts) op: Equal rhs: { (DQ ($ VSub_Name '$opts') (' -i ') ($ VSub_Name '$OBJ') ('/user_key3 -oCertificateFile=') ($ VSub_Name '$OBJ') (/cert_user_key3.pub) ) } spids: [296] ) ] spids: [296] ) (SimpleCommand words: [{(echo)} {(mekmitasdigoat)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [311] ) ] ) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/user_key1.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [322] ) ] ) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/user_key2.pub)}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [333] ) ] ) (FuncDef name: prepare_config body: (BraceGroup children: [ (Subshell child: (CommandList children: [ (C {(grep)} {(-v)} {(DQ (Protocol))} {($ VSub_Name '$OBJ') (/sshd_proxy.orig)}) (C {(echo)} {(DQ ('Protocol 2'))}) (C {(echo)} {(DQ ('AuthenticationMethods publickey'))}) (C {(echo)} {(DQ ('TrustedUserCAKeys ') ($ VSub_Name '$OBJ') (/user_ca_key.pub))}) (C {(echo)} { (DQ ('AuthorizedPrincipalsFile ') ($ VSub_Name '$OBJ') ('/authorized_principals_%u') ) } ) (ForEach iter_name: x iter_words: [{(DQ ($ VSub_At '$@'))}] do_arg_iter: False body: (DoGroup children: [(C {(echo)} {(DQ ($ VSub_Name '$x'))})] spids: [406 416] ) spids: [399 404] ) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [421] ) ] spids: [347 419] ) ] spids: [344] ) spids: [340 343] ) (C {(prepare_config)}) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$certopts')} {(proxy)} {(true)}) (C {(fatal)} {(DQ ('cert failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key1)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key1 failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key2)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key2 failed'))}) ] op_id: Op_DPipe ) (C {(verbose)} {(DQ ('allow rsa,ed25519'))}) (C {(prepare_config)} {(DQ ('PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519'))}) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$certopts')} {(proxy)} {(true)}) (C {(fatal)} {(DQ ('cert succeeded'))}) ] op_id: Op_DAmp ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key1)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key1 failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key2)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key2 failed'))}) ] op_id: Op_DPipe ) (C {(verbose)} {(DQ ('allow ed25519'))}) (C {(prepare_config)} {(DQ ('PubkeyAcceptedKeyTypes ssh-ed25519'))}) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$certopts')} {(proxy)} {(true)}) (C {(fatal)} {(DQ ('cert succeeded'))}) ] op_id: Op_DAmp ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key1)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key1 failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key2)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key2 succeeded'))}) ] op_id: Op_DAmp ) (C {(verbose)} {(DQ ('allow cert only'))}) (C {(prepare_config)} {(DQ ('PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com'))}) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$certopts')} {(proxy)} {(true)}) (C {(fatal)} {(DQ ('cert failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key1)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key1 succeeded'))}) ] op_id: Op_DAmp ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key2)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key2 succeeded'))}) ] op_id: Op_DAmp ) (C {(verbose)} {(DQ ('match w/ no match'))}) (C {(prepare_config)} {(DQ ('PubkeyAcceptedKeyTypes ssh-rsa'))} {(DQ ('Match user x') ($ VSub_Name '$USER'))} {(DQ ('PubkeyAcceptedKeyTypes +ssh-ed25519'))} ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$certopts')} {(proxy)} {(true)}) (C {(fatal)} {(DQ ('cert succeeded'))}) ] op_id: Op_DAmp ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key1)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key1 succeeded'))}) ] op_id: Op_DAmp ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key2)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key2 failed'))}) ] op_id: Op_DPipe ) (C {(verbose)} {(DQ ('match w/ matching'))}) (C {(prepare_config)} {(DQ ('PubkeyAcceptedKeyTypes ssh-dss'))} {(DQ ('Match user ') ($ VSub_Name '$USER'))} {(DQ ('PubkeyAcceptedKeyTypes +ssh-ed25519'))} ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$certopts')} {(proxy)} {(true)}) (C {(fatal)} {(DQ ('cert failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key1)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key1 failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(-i)} {($ VSub_Name '$OBJ') (/user_key4)} {(proxy)} {(true)} ) (C {(fatal)} {(DQ ('key4 succeeded'))}) ] op_id: Op_DAmp ) ] )