(CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:tid) op: Equal rhs: {(DQ ('authorized principals command'))} spids: [7] ) ] spids: [7] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key) (Lit_Other '*')} {($ VSub_Name '$OBJ') (/cert_user_key) (Lit_Other '*')} ) (C {(cp)} {($ VSub_Name '$OBJ') (/sshd_proxy)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(-z)} {(DQ ($ VSub_Name '$SUDO'))} {(-a)} {(KW_Bang '!')} {(-w)} {(/var/run)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(echo)} {(DQ ('skipped (SUDO not set)'))}) (C {(echo)} {(DQ ("need SUDO to create file in /var/run, test won't work without"))}) (C {(exit)} {(0)}) ] spids: [-1 55] ) ] spids: [-1 76] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:SERIAL) op:Equal rhs:{($ VSub_Dollar '$$')} spids:[79])] spids: [79] ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(ed25519)} {(-f)} {($ VSub_Name '$OBJ') (/user_ca_key)} ) (C {(fatal)} {(DQ ('ssh-keygen of user_ca_key failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-N)} {(SQ )} {(-t)} {(rsa)} {(-f)} {($ VSub_Name '$OBJ') (/cert_user_key)} ) (C {(fatal)} {(DQ ('ssh-keygen of cert_user_key failed'))}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-q)} {(-s)} {($ VSub_Name '$OBJ') (/user_ca_key)} {(-I)} {(DQ ('Joanne User'))} {(-z)} {($ VSub_Dollar '$$')} {(-n)} {(${ VSub_Name USER) (Lit_Comma ',') (mekmitasdigoat)} {($ VSub_Name '$OBJ') (/cert_user_key)} ) (C {(fatal)} {(DQ ("couldn't sign cert_user_key"))}) ] op_id: Op_DPipe ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:CERT_BODY) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/cert_user_key-cert.pub)}) (C {(awk)} {(SQ <'{ print $2 }'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [192 205] ) } spids: [191] ) ] spids: [191] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:CA_BODY) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)}) (C {(awk)} {(SQ <'{ print $2 }'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [208 221] ) } spids: [207] ) ] spids: [207] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:CERT_FP) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-lf)} {($ VSub_Name '$OBJ') (/cert_user_key-cert.pub)} ) (C {(awk)} {(SQ <'{ print $2 }'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [224 241] ) } spids: [223] ) ] spids: [223] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:CA_FP) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(${ VSub_Name SSHKEYGEN)} {(-lf)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)} ) (C {(awk)} {(SQ <'{ print $2 }'>)}) ] negated: False ) ] ) left_token: <Left_Backtick '`'> spids: [244 261] ) } spids: [243] ) ] spids: [243] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:PRINCIPALS_COMMAND) op: Equal rhs: {(DQ (/var/run/principals_command_) (${ VSub_Name LOGNAME))} spids: [270] ) ] spids: [270] ) (Pipeline children: [ (SimpleCommand words: [{(cat)}] redirects: [ (HereDoc op_id: Redir_DLess fd: -1 body: { (DQ ('#!/bin/sh\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (1) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name LOGNAME) (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (2) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') ('xssh-rsa-cert-v01@openssh.com') (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (3) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (xssh-ed25519) (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (4) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') ('xJoanne User') (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (5) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name SERIAL) (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (6) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name CA_FP) (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (7) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name CERT_FP) (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (8) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name CERT_BODY) (Right_DoubleQuote '"') (' && exit 1\n') ('test ') (Right_DoubleQuote '"') (x) (EscapedLiteralPart token:<Lit_EscapedChar '\\$'>) (9) (Right_DoubleQuote '"') (' != ') (Right_DoubleQuote '"') (x) (${ VSub_Name CA_BODY) (Right_DoubleQuote '"') (' && exit 1\n') ('test -f ') (Right_DoubleQuote '"') ($ VSub_Name '$OBJ') (/authorized_principals_) (${ VSub_Name LOGNAME) (Right_DoubleQuote '"') (' &&\n') ('\texec cat ') (Right_DoubleQuote '"') ($ VSub_Name '$OBJ') (/authorized_principals_) (${ VSub_Name LOGNAME) (Right_DoubleQuote '"') ('\n') ) } do_expansion: True here_end: _EOF was_filled: True spids: [280] ) ] ) (C {($ VSub_Name '$SUDO')} {(sh)} {(-c)} {(DQ ("cat > '") ($ VSub_Name '$PRINCIPALS_COMMAND') ("'"))} ) ] negated: False ) (AndOr children: [ (C {(test)} {($ VSub_QMark '$?')} {(-eq)} {(0)}) (C {(fatal)} {(DQ ("couldn't prepare principals command"))}) ] op_id: Op_DPipe ) (C {($ VSub_Name '$SUDO')} {(chmod)} {(0755)} {(DQ ($ VSub_Name '$PRINCIPALS_COMMAND'))}) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {($ VSub_Name '$OBJ') (/check-perm)} {(-m)} {(keys-command)} {($ VSub_Name '$PRINCIPALS_COMMAND')} ) ] negated: True ) terminator: <Op_Semi ';'> ) ] action: [ (C {(echo)} {(DQ ('skipping: ') ($ VSub_Name '$PRINCIPALS_COMMAND') (' is unsuitable as '))} {(DQ (AuthorizedPrincipalsCommand))} ) (C {($ VSub_Name '$SUDO')} {(rm)} {(-f)} {($ VSub_Name '$PRINCIPALS_COMMAND')}) (C {(exit)} {(0)}) ] spids: [-1 477] ) ] spids: [-1 508] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(-x)} {($ VSub_Name '$PRINCIPALS_COMMAND')} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [ (ForEach iter_name: privsep iter_words: [{(yes)} {(no)}] do_arg_iter: False body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:_prefix) op: Equal rhs: {(DQ ('privsep ') ($ VSub_Name '$privsep'))} spids: [544] ) ] spids: [544] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')}) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('UsePrivilegeSeparation ') ($ VSub_Name '$privsep'))}) (C {(echo)} {(DQ ('AuthorizedKeysFile none'))}) (C {(echo)} { (DQ ('AuthorizedPrincipalsCommand ') ($ VSub_Name '$PRINCIPALS_COMMAND') ) } {(DQ ('%u %t %T %i %s %F %f %k %K'))} ) (C {(echo)} {(DQ ('AuthorizedPrincipalsCommandUser ') (${ VSub_Name LOGNAME))} ) (C {(echo)} {(DQ ('TrustedUserCAKeys ') ($ VSub_Name '$OBJ') (/user_ca_key.pub))} ) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [624] ) ] spids: [565 622] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' empty authorized_principals') ) } ) (SimpleCommand words: [{(echo)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [658] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [685] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [688] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 705] ) ] spids: [-1 715] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' wrong authorized_principals') ) } ) (SimpleCommand words: [{(echo)} {(gregorsamsa)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [739] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [766] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [769] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 786] ) ] spids: [-1 796] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' correct authorized_principals') ) } ) (SimpleCommand words: [{(echo)} {(mekmitasdigoat)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [820] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [847] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [850] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 867] ) ] spids: [-1 877] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' authorized_principals bad key opt') ) } ) (SimpleCommand words: [{(echo)} {(SQ <'blah mekmitasdigoat'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [903] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [930] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [933] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 950] ) ] spids: [-1 960] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' authorized_principals command=false') ) } ) (SimpleCommand words: [{(echo)} {(SQ <'command="false" mekmitasdigoat'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [986] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1015] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1018] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 1035] ) ] spids: [-1 1045] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' authorized_principals command=true') ) } ) (SimpleCommand words: [{(echo)} {(SQ <'command="true" mekmitasdigoat'>)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} spids: [1071] ) ] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(false)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1100] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1103] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 1120] ) ] spids: [-1 1130] ) (C {(rm)} {(-f)} {($ VSub_Name '$OBJ') (/authorized_principals_) ($ VSub_Name '$USER')} ) (Subshell child: (CommandList children: [ (C {(cat)} {($ VSub_Name '$OBJ') (/sshd_proxy_bak)}) (C {(echo)} {(DQ ('UsePrivilegeSeparation ') ($ VSub_Name '$privsep'))}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/sshd_proxy)} spids: [1166] ) ] spids: [1147 1164] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' wrong principals key option') ) } ) (Subshell child: (CommandList children: [ (C {(printf)} {(SQ <'cert-authority,principals="gregorsamsa" '>)}) (C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [1207] ) ] spids: [1189 1205] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1234] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1237] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-eq)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect succeeded unexpectedly'))})] spids: [-1 1254] ) ] spids: [-1 1264] ) (C {(verbose)} { (DQ ($ VSub_Name '$tid') (': ') (${ VSub_Name _prefix) (' correct principals key option') ) } ) (Subshell child: (CommandList children: [ (C {(printf)} {(SQ <'cert-authority,principals="mekmitasdigoat" '>)}) (C {(cat)} {($ VSub_Name '$OBJ') (/user_ca_key.pub)}) ] ) redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name '$OBJ') (/authorized_keys_) ($ VSub_Name '$USER')} spids: [1302] ) ] spids: [1284 1300] ) (SimpleCommand words: [ {(${ VSub_Name SSH)} {(-2i)} {($ VSub_Name '$OBJ') (/cert_user_key)} {(-F)} {($ VSub_Name '$OBJ') (/ssh_proxy)} {(somehost)} {(true)} ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [1329] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [1332] ) ] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {($ VSub_QMark '$?')} {(-ne)} {(0)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(fail)} {(DQ ('ssh cert connect failed'))})] spids: [-1 1349] ) ] spids: [-1 1359] ) ] spids: [541 1362] ) spids: [534 539] ) ] spids: [-1 522] ) ] else_action: [ (C {(echo)} {(DQ ('SKIPPED: ') ($ VSub_Name '$PRINCIPALS_COMMAND') (' not executable '))} {(DQ ('(/var/run mounted noexec?)'))} ) ] spids: [1364 1381] ) ] )