(CommandList children: [ (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:tid) op:Equal rhs:{(DQ ('multiple pubkey'))} spids:[7])] spids: [7] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} {($ VSub_Name '$OBJ') (/user_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/user_key) (Lit_Other '*')} ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} {($ VSub_Name '$OBJ') (/cert_user_key) (Lit_Other '*')} ) (C {(mv)} {($ VSub_Name '$OBJ') (/sshd_proxy)} {($ VSub_Name '$OBJ') (/sshd_proxy.orig)}) (C {(mv)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {($ VSub_Name '$OBJ') (/ssh_proxy.orig)}) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key1)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_key2)} ) (C {(fatal)} {(DQ ('ssh-keygen failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key)} {(-I)} {(DQ ('regress user key for ') ($ VSub_Name '$USER'))} {(-z)} {($ VSub_Dollar '$$')} {(-n)} {(${ VSub_Name USER) (Lit_Comma ',') (mekmitasdigoat)} {($ VSub_Name '$OBJ') (/user_key1)} ) (C {(fail)} {(DQ ("couldn't sign user_key1"))}) ] op_id: Op_DPipe ) (C {(mv)} {($ VSub_Name '$OBJ') (/user_key1-cert.pub)} {($ VSub_Name '$OBJ') (/cert_user_key1.pub)}) (C {(cp)} {(-p)} {($ VSub_Name '$OBJ') (/user_key1)} {($ VSub_Name '$OBJ') (/cert_user_key1)}) (SimpleCommand words: [{(grep)} {(-v)} {(IdentityFile)} {($ VSub_Name '$OBJ') (/ssh_proxy.orig)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/ssh_proxy)} spids: [233] ) ] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts) op: Equal rhs: {(DQ ('-oProtocol=2 -F ') ($ VSub_Name '$OBJ') ('/ssh_proxy -oIdentitiesOnly=yes'))} spids: [239] ) ] spids: [239] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:opts) op: Equal rhs: { (DQ ($ VSub_Name '$opts') (' -i ') ($ VSub_Name '$OBJ') ('/cert_user_key1 -i ') ($ VSub_Name '$OBJ') ('/user_key1 -i ') ($ VSub_Name '$OBJ') (/user_key2) ) } spids: [246] ) ] spids: [246] ) (ForEach iter_name: privsep iter_words: [{(no)} {(yes)}] do_arg_iter: False body: (DoGroup children: [ (Subshell child: (CommandList children: [ (C {(grep)} {(-v)} {(DQ (Protocol))} {($ VSub_Name '$OBJ') (/sshd_proxy.orig)}) (C {(echo)} {(DQ ('Protocol 2'))}) (C {(echo)} {(DQ ('UsePrivilegeSeparation ') ($ VSub_Name '$privsep'))}) (C {(echo)} {(DQ ('AuthenticationMethods publickey,publickey'))}) (C {(echo)} {(DQ ('TrustedUserCAKeys ') ($ VSub_Name '$OBJ') (/user_ca_key.pub))}) (C {(echo)} { (DQ ('AuthorizedPrincipalsFile ') ($ VSub_Name '$OBJ') ('/authorized_principals_%u') ) } ) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [330] ) ] spids: [273 328] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')}) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/user_key1.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [355] ) ] ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(proxy)} {(true)}) (C {(fail)} {(DQ ('ssh succeeded with key'))}) ] op_id: Op_DAmp ) (SimpleCommand words: [{(echo)} {(mekmitasdigoat)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [390] ) ] ) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/user_key1.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [402] ) ] ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(proxy)} {(true)}) (C {(fail)} {(DQ ('ssh succeeded with key+cert'))}) ] op_id: Op_DAmp ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')}) (SimpleCommand words: [ {(cat)} {($ VSub_Name '$OBJ') (/user_key1.pub)} {($ VSub_Name '$OBJ') (/user_key2.pub)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [450] ) ] ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(proxy)} {(true)}) (C {(fail)} {(DQ ('ssh failed with multiple keys'))}) ] op_id: Op_DPipe ) (SimpleCommand words: [{(echo)} {(mekmitasdigoat)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [491] ) ] ) (SimpleCommand words: [{(cat)} {($ VSub_Name '$OBJ') (/user_key2.pub)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [503] ) ] ) (AndOr children: [ (C {(${ VSub_Name SSH)} {($ VSub_Name '$opts')} {(proxy)} {(true)}) (C {(fail)} {(DQ ('ssh failed with key/cert'))}) ] op_id: Op_DPipe ) ] spids: [270 528] ) spids: [264 268] ) ] )