(command.CommandList
  children: [
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:tid)
          op: assign_op.Equal
          rhs: {(DQ <'ssh with certificates'>)}
          spids: [7]
        )
      ]
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/user_key'> <Id.Lit_Star '*'>}
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>})
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key1'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key2'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key4'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key5'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key1'>} 
          {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} 
          {(${ Id.VSub_Name USER)} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>}
        )
        (C {<fatal>} {(DQ <'couldn\'t sign user_key1 with user_ca_key1'>)})
      ]
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1-cert.pub'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1_1.pub'>}
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key2'>} 
          {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} 
          {(${ Id.VSub_Name USER)} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>}
        )
        (C {<fatal>} {(DQ <'couldn\'t sign user_key1 with user_ca_key2'>)})
      ]
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1-cert.pub'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1_2.pub'>}
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key1'>} 
          {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} 
          {(${ Id.VSub_Name USER)} {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>}
        )
        (C {<fatal>} {(DQ <'couldn\'t sign user_key3 with user_ca_key1'>)})
      ]
    )
    (C {<rm>} {($ Id.VSub_DollarName '$OBJ') <'/user_key3.pub'>})
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key1'>} 
          {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} 
          {(${ Id.VSub_Name USER)} {($ Id.VSub_DollarName '$OBJ') <'/user_key4'>}
        )
        (C {<fatal>} {(DQ <'couldn\'t sign user_key4 with user_ca_key1'>)})
      ]
    )
    (C {<rm>} {($ Id.VSub_DollarName '$OBJ') <'/user_key4'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/user_key4.pub'>}
    )
    (C {<trace>} {(SQ <'try with identity files'>)})
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts)
          op: assign_op.Equal
          rhs: {(DQ <'-F '> ($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy -oIdentitiesOnly=yes'>)}
          spids: [466]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts2)
          op: assign_op.Equal
          rhs: 
            {
              (DQ ($ Id.VSub_DollarName '$opts') <' -i '> ($ Id.VSub_DollarName '$OBJ') 
                <'/user_key1 -i '> ($ Id.VSub_DollarName '$OBJ') <'/user_key2'>
              )
            }
          spids: [473]
        )
      ]
    )
    (command.Simple
      words: [
        {<echo>}
        {
          (DQ <'cert-authority '> 
            (command_sub
              left_token: <Id.Left_DollarParen '$('>
              child: (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key1.pub'>})
            )
          )
        }
      ]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')}
        )
      ]
      do_fork: T
    )
    (command.Pipeline
      children: [
        (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>})
        (command.Simple
          words: [{<grep>} {<-v>} {<IdentityFile>}]
          redirects: [
            (redir
              op: <Id.Redir_Great '>'>
              loc: (redir_loc.Fd fd:1)
              arg: {($ Id.VSub_DollarName '$OBJ') <'/no_identity_config'>}
            )
          ]
          do_fork: T
        )
      ]
      negated: F
    )
    (command.ForEach
      iter_name: p
      iter_words: [{(${ Id.VSub_Name SSH_PROTOCOLS)}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (C {<verbose>} 
              {
                (DQ <'protocol '> ($ Id.VSub_DollarName '$p') 
                  <': identity cert with no plain public file'>
                )
              }
            )
            (C {(${ Id.VSub_Name SSH)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/no_identity_config'>} 
              {<-oIdentitiesOnly> <Id.Lit_Equals '='> <yes>} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>} {<somehost>} {<Id.ControlFlow_Exit exit>} 
              {<5> ($ Id.VSub_DollarName '$p')}
            )
            (command.AndOr
              ops: [Id.Op_DAmp]
              children: [
                (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} 
                  {<5> ($ Id.VSub_DollarName '$p')} {<Id.Lit_RBracket ']'>}
                )
                (C {<fail>} {(DQ <'ssh failed'>)})
              ]
            )
            (C {<verbose>} 
              {
                (DQ <'protocol '> ($ Id.VSub_DollarName '$p') 
                  <': CertificateFile with no plain public file'>
                )
              }
            )
            (C {(${ Id.VSub_Name SSH)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/no_identity_config'>} 
              {<-oIdentitiesOnly> <Id.Lit_Equals '='> <yes>} {<-oCertificateFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/user_key3-cert.pub'>} {<-i>} 
              {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>} {<somehost>} {<Id.ControlFlow_Exit exit>} {<5> ($ Id.VSub_DollarName '$p')}
            )
            (command.AndOr
              ops: [Id.Op_DAmp]
              children: [
                (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} 
                  {<5> ($ Id.VSub_DollarName '$p')} {<Id.Lit_RBracket ']'>}
                )
                (C {<fail>} {(DQ <'ssh failed'>)})
              ]
            )
            (C {<verbose>} {(DQ <'protocol '> ($ Id.VSub_DollarName '$p') <': plain keys'>)})
            (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts2')} {<somehost>} 
              {<Id.ControlFlow_Exit exit>} {<5> ($ Id.VSub_DollarName '$p')}
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:r)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_QMark '$?')}
                  spids: [703]
                )
              ]
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$r')} {<-eq>} 
                              {<5> ($ Id.VSub_DollarName '$p')} {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (C {<fail>} 
                      {(DQ <'ssh succeeded with no certs in protocol '> ($ Id.VSub_DollarName '$p'))}
                    )
                  ]
                  spids: [707 721]
                )
              ]
            )
            (C {<verbose>} {(DQ <'protocol '> ($ Id.VSub_DollarName '$p') <': untrusted cert'>)})
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:opts3)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (DQ ($ Id.VSub_DollarName '$opts2') <' -oCertificateFile='> 
                        ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1_2.pub'>
                      )
                    }
                  spids: [749]
                )
              ]
            )
            (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts3')} {<somehost>} 
              {<Id.ControlFlow_Exit exit>} {<5> ($ Id.VSub_DollarName '$p')}
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:r)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_QMark '$?')}
                  spids: [772]
                )
              ]
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$r')} {<-eq>} 
                              {<5> ($ Id.VSub_DollarName '$p')} {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (C {<fail>} 
                      {(DQ <'ssh succeeded with bad cert in protocol '> ($ Id.VSub_DollarName '$p'))}
                    )
                  ]
                  spids: [776 790]
                )
              ]
            )
            (C {<verbose>} {(DQ <'protocol '> ($ Id.VSub_DollarName '$p') <': good cert, bad key'>)})
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:opts3)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (DQ ($ Id.VSub_DollarName '$opts') <' -i '> ($ Id.VSub_DollarName '$OBJ') 
                        <'/user_key2'>
                      )
                    }
                  spids: [818]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:opts3)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (DQ ($ Id.VSub_DollarName '$opts3') <' -oCertificateFile='> 
                        ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1_1.pub'>
                      )
                    }
                  spids: [827]
                )
              ]
            )
            (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts3')} {<somehost>} 
              {<Id.ControlFlow_Exit exit>} {<5> ($ Id.VSub_DollarName '$p')}
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:r)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_QMark '$?')}
                  spids: [850]
                )
              ]
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$r')} {<-eq>} 
                              {<5> ($ Id.VSub_DollarName '$p')} {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (C {<fail>} 
                      {
                        (DQ <'ssh succeeded with no matching key in protocol '> 
                          ($ Id.VSub_DollarName '$p')
                        )
                      }
                    )
                  ]
                  spids: [854 868]
                )
              ]
            )
            (C {<verbose>} {(DQ <'protocol '> ($ Id.VSub_DollarName '$p') <': single trusted'>)})
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:opts3)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (DQ ($ Id.VSub_DollarName '$opts2') <' -oCertificateFile='> 
                        ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1_1.pub'>
                      )
                    }
                  spids: [896]
                )
              ]
            )
            (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts3')} {<somehost>} 
              {<Id.ControlFlow_Exit exit>} {<5> ($ Id.VSub_DollarName '$p')}
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:r)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_QMark '$?')}
                  spids: [919]
                )
              ]
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$r')} {<-ne>} 
                              {<5> ($ Id.VSub_DollarName '$p')} {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (C {<fail>} 
                      {
                        (DQ <'ssh failed with trusted cert and key in protocol '> 
                          ($ Id.VSub_DollarName '$p')
                        )
                      }
                    )
                  ]
                  spids: [923 937]
                )
              ]
            )
            (C {<verbose>} {(DQ <'protocol '> ($ Id.VSub_DollarName '$p') <': multiple trusted'>)})
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:opts3)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (DQ ($ Id.VSub_DollarName '$opts2') <' -oCertificateFile='> 
                        ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1_2.pub'>
                      )
                    }
                  spids: [965]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:opts3)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (DQ ($ Id.VSub_DollarName '$opts3') <' -oCertificateFile='> 
                        ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1_1.pub'>
                      )
                    }
                  spids: [974]
                )
              ]
            )
            (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts3')} {<somehost>} 
              {<Id.ControlFlow_Exit exit>} {<5> ($ Id.VSub_DollarName '$p')}
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:r)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_QMark '$?')}
                  spids: [997]
                )
              ]
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$r')} {<-ne>} 
                              {<5> ($ Id.VSub_DollarName '$p')} {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (C {<fail>} 
                      {
                        (DQ <'ssh failed with multiple certs in protocol '> 
                          ($ Id.VSub_DollarName '$p')
                        )
                      }
                    )
                  ]
                  spids: [1001 1015]
                )
              ]
            )
          ]
        )
    )
    (command.Simple
      words: [{(${ Id.VSub_Name SSHADD)} {<-l>}]
      redirects: [
        (redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})
        (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>})
      ]
      more_env: [(env_pair name:SSH_AUTH_SOCK val:{<'/nonexistent'>} spids:[1034])]
      do_fork: T
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<2>} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [(C {<fatal>} {(DQ <'ssh-add -l did not fail with exit code 2'>)})]
          spids: [1050 1063]
        )
      ]
    )
    (C {<trace>} {(DQ <'start agent'>)})
    (command.Simple
      words: [
        {<eval>}
        {(command_sub left_token:<Id.Left_Backtick '`'> child:(C {(${ Id.VSub_Name SSHAGENT)} {<-s>}))}
      ]
      redirects: [(redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
      do_fork: T
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:r)
          op: assign_op.Equal
          rhs: {($ Id.VSub_QMark '$?')}
          spids: [1097]
        )
      ]
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$r')} {<-ne>} {<0>} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (C {<fatal>} {(DQ <'could not start ssh-agent: exit code '> ($ Id.VSub_DollarName '$r'))})
          ]
          spids: [1100 1113]
        )
      ]
    )
    (command.Simple
      words: [{(${ Id.VSub_Name SSHADD)} {<-k>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>}]
      redirects: [
        (redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})
        (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>})
      ]
      do_fork: T
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [(C {<fatal>} {(DQ <'ssh-add did not succeed with exit code 0'>)})]
          spids: [1145 1158]
        )
      ]
    )
    (command.Simple
      words: [{(${ Id.VSub_Name SSHADD)} {<-k>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>}]
      redirects: [
        (redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})
        (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>})
      ]
      do_fork: T
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [(C {<fatal>} {(DQ <'ssh-add did not succeed with exit code 0'>)})]
          spids: [1185 1198]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts)
          op: assign_op.Equal
          rhs: {(DQ <'-F '> ($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>)}
          spids: [1216]
        )
      ]
    )
    (C {(${ Id.VSub_Name SSH)} {<-2>} {($ Id.VSub_DollarName '$opts')} {<somehost>} 
      {<Id.ControlFlow_Exit exit>} {<52>}
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<52>} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [(C {<fail>} {(DQ <'ssh connect with agent in protocol 2 succeeded with no cert'>)})]
          spids: [1240 1253]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts)
          op: assign_op.Equal
          rhs: 
            {
              (DQ ($ Id.VSub_DollarName '$opts') <' -oCertificateFile='> ($ Id.VSub_DollarName '$OBJ') 
                <'/cert_user_key1_2.pub'>
              )
            }
          spids: [1268]
        )
      ]
    )
    (C {(${ Id.VSub_Name SSH)} {<-2>} {($ Id.VSub_DollarName '$opts')} {<somehost>} 
      {<Id.ControlFlow_Exit exit>} {<52>}
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<52>} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [(C {<fail>} {(DQ <'ssh connect with agent in protocol 2 succeeded with bad cert'>)})]
          spids: [1290 1303]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts)
          op: assign_op.Equal
          rhs: 
            {
              (DQ ($ Id.VSub_DollarName '$opts') <' -oCertificateFile='> ($ Id.VSub_DollarName '$OBJ') 
                <'/cert_user_key1_1.pub'>
              )
            }
          spids: [1318]
        )
      ]
    )
    (C {(${ Id.VSub_Name SSH)} {<-2>} {($ Id.VSub_DollarName '$opts')} {<somehost>} 
      {<Id.ControlFlow_Exit exit>} {<52>}
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<52>} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [(C {<fail>} {(DQ <'ssh connect with agent in protocol 2 failed with good cert'>)})]
          spids: [1340 1353]
        )
      ]
    )
    (C {<trace>} {(DQ <'kill agent'>)})
    (command.Simple
      words: [{(${ Id.VSub_Name SSHAGENT)} {<-k>}]
      redirects: [(redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
      do_fork: T
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/user_key'> <Id.Lit_Star '*'>}
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>})
  ]
)