(command.CommandList children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tid) op: assign_op.Equal rhs: {(DQ <'certified host keys'>)} spids: [7] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_'> <Id.Lit_Star '*'>} ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_'> <Id.Lit_Star '*'>} ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:types) op: assign_op.Equal rhs: {(DQ )} spids: [45] ) ] ) (command.ForEach iter_name: i iter_words: [ { (command_sub left_token: <Id.Left_Backtick '`'> child: (C {($ Id.VSub_DollarName '$SSH')} {<-Q>} {<key>}) ) } ] do_arg_iter: F body: (command.DoGroup children: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-z>} {(DQ ($ Id.VSub_DollarName '$types'))} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:types) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$i'))} spids: [85] ) ] ) (command.ControlFlow token:<Id.ControlFlow_Continue continue>) ] spids: [69 82] ) ] ) (command.Case to_match: {(DQ ($ Id.VSub_DollarName '$i'))} arms: [ (case_arm pat_list: [{<Id.Lit_Star '*'> <cert> <Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:types) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$i') <','> ($ Id.VSub_DollarName '$types'))} spids: [111] ) ] ) ] spids: [106 109 117 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:types) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$types') <','> ($ Id.VSub_DollarName '$i'))} spids: [123] ) ] ) ] spids: [120 121 129 -1] ) ] ) ] ) ) (command.Subshell child: (command.CommandList children: [ (C {<echo>} {(DQ <'HostKeyAlgorithms '> (${ Id.VSub_Name types))}) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes *'>)}) ] ) redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} ) ] ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>} ) (command.Subshell child: (command.CommandList children: [ (C {<echo>} {(DQ <'HostKeyAlgorithms *'>)}) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes *'>)}) ] ) redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>} ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:HOSTS) op: assign_op.Equal rhs: {(SQ <'localhost-with-alias,127.0.0.1,::1'>)} spids: [194] ) ] ) (command.ShFunction name: kh_ca body: (BraceGroup children: [ (command.ForEach iter_name: k iter_words: [{(DQ ($ Id.VSub_At '$@'))}] do_arg_iter: F body: (command.DoGroup children: [ (C {<printf>} {(DQ <'@cert-authority '> ($ Id.VSub_DollarName '$HOSTS') <' '>)}) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/'> ($ Id.VSub_DollarName '$k')}) (C {<fatal>} {(DQ <'couldn\'t cat '> ($ Id.VSub_DollarName '$k'))}) ] ) ] ) ) ] ) ) (command.ShFunction name: kh_revoke body: (BraceGroup children: [ (command.ForEach iter_name: k iter_words: [{(DQ ($ Id.VSub_At '$@'))}] do_arg_iter: F body: (command.DoGroup children: [ (C {<printf>} {(DQ <'@revoked * '>)}) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/'> ($ Id.VSub_DollarName '$k')}) (C {<fatal>} {(DQ <'couldn\'t cat '> ($ Id.VSub_DollarName '$k'))}) ] ) ] ) ) ] ) ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>} ) (C {<fail>} {(DQ <'ssh-keygen of host_ca_key failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>} ) (C {<fail>} {(DQ <'ssh-keygen of host_ca_key failed'>)}) ] ) (command.Simple words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} ) ] do_fork: T ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_empty'>}) (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_plain'>}) (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_cert'>}) (command.Simple words: [ {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key.pub'>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2.pub'>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_ca'>} ) ] do_fork: T ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:PLAIN_TYPES) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {($ Id.VSub_DollarName '$SSH')} {<-Q>} {<key-plain>}) (C {<sed>} {(SQ <'s/^ssh-dss/ssh-dsa/g;s/^ssh-//'>)}) ] negated: F ) ) } spids: [418] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {<echo>} {(DQ ($ Id.VSub_DollarName '$PLAIN_TYPES'))}) (command.Simple words: [{<grep>} {(SQ <'^rsa$'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) ] negated: F ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:PLAIN_TYPES) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$PLAIN_TYPES') <' rsa-sha2-256 rsa-sha2-512'>)} spids: [465] ) ] ) ] spids: [438 462] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_empty'>}) (C {<fatal>} {(DQ <'KRL init failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_plain'>}) (C {<fatal>} {(DQ <'KRL init failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_cert'>}) (C {<fatal>} {(DQ <'KRL init failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_ca'>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key.pub'>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2.pub'>} ) (C {<fatal>} {(DQ <'KRL init failed'>)}) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:serial) op: assign_op.Equal rhs: {<1>} spids: [557] ) ] ) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} {(DQ ($ Id.VSub_DollarName '$tid') <': sign host '> (${ Id.VSub_Name ktype) <' cert'>)} ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {(${ Id.VSub_Name ktype)} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)} ) (C {<fatal>} {(DQ <'ssh-keygen of cert_host_key_'> (${ Id.VSub_Name ktype) <' failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-ukf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_plain'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>} ) (C {<fatal>} {(DQ <'KRL update failed'>)}) ] ) (command.Simple words: [ {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>} ] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_plain'>} ) ] do_fork: T ) (command.Case to_match: {($ Id.VSub_DollarName '$ktype')} arms: [ (case_arm pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}] action: [ (command.Sentence child: (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$ktype'))} spids: [684] ) ] ) terminator: <Id.Op_Semi _> ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ca) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>)} spids: [691] ) ] ) ] spids: [680 682 697 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.Sentence child: (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ )} spids: [703] ) ] ) terminator: <Id.Op_Semi _> ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ca) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>)} spids: [708] ) ] ) ] spids: [700 701 714 -1] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-h>} {<-q>} {<-s>} {($ Id.VSub_DollarName '$ca')} {<-z>} {($ Id.VSub_DollarName '$serial')} {($ Id.VSub_DollarName '$tflag')} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} {<-n>} {($ Id.VSub_DollarName '$HOSTS')} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)} ) (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name ktype))}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-ukf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_cert'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub>} ) (C {<fatal>} {(DQ <'KRL update failed'>)}) ] ) (command.Simple words: [ {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub>} ] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_cert'>} ) ] do_fork: T ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:serial) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (C {<expr>} {($ Id.VSub_DollarName '$serial')} {<Id.Lit_Other '+'>} {<1>}) ) } spids: [816] ) ] ) ] ) ) (command.ShFunction name: attempt_connect body: (BraceGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:_ident) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_Number '$1'))} spids: [839] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:_expect_success) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_Number '$2'))} spids: [845] ) ] ) (command.Sentence child:(C {<shift>}) terminator:<Id.Op_Semi _>) (C {<shift>}) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> ($ Id.VSub_DollarName '$_ident') <' expect success '> ($ Id.VSub_DollarName '$_expect_success') ) } ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (C {(${ Id.VSub_Name SSH)} {<-2>} {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} {(DQ ($ Id.VSub_At '$@'))} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:_r) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [911] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ <x> ($ Id.VSub_DollarName '$_expect_success'))} {<Id.Lit_Equals '='>} {(DQ <xyes>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$_r')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$_ident') <' failed'>) } ) ] spids: [937 950] ) ] ) ] spids: [915 934] ) ] else_action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$_r')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$_ident') <' succeeded unexpectedly'> ) } ) ] spids: [968 981] ) ] ) ] ) ] ) ) (command.ForEach iter_name: privsep iter_words: [{<yes>} {<no>}] do_arg_iter: F body: (command.DoGroup children: [ (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) <' cert connect privsep '> ($ Id.VSub_DollarName '$privsep') ) } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {<HostKey>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) } ) (C {<echo>} {<HostCertificate>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub> } ) (C {<echo>} {<UsePrivilegeSeparation>} {($ Id.VSub_DollarName '$privsep')}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' basic connect'>)} {(DQ <yes>)} ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' empty KRL'>)} {(DQ <yes>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_empty'>} ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' KRL w/ plain key revoked'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_plain'>} ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' KRL w/ cert revoked'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_cert'>} ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' KRL w/ CA revoked'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_ca'>} ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' empty plaintext revocation'>)} {(DQ <yes>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_revoked_empty'> } ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' plain key plaintext revocation'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_revoked_plain'> } ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' cert plaintext revocation'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_revoked_cert'> } ) (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' CA plaintext revocation'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_revoked_ca'> } ) ] ) ) ] ) ) (command.Simple words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} ) ] do_fork: T ) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<test>} {<-f>} { (DQ ($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>) } ) (C {<fatal>} {(DQ <'no pubkey'>)}) ] ) (command.Simple words: [{<kh_revoke>} {<cert_host_key_> (${ Id.VSub_Name ktype) <.pub>}] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} ) ] do_fork: T ) ] ) ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.ForEach iter_name: privsep iter_words: [{<yes>} {<no>}] do_arg_iter: F body: (command.DoGroup children: [ (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) <' revoked cert privsep '> ($ Id.VSub_DollarName '$privsep') ) } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {<HostKey>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) } ) (C {<echo>} {<HostCertificate>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub> } ) (C {<echo>} {<UsePrivilegeSeparation>} {($ Id.VSub_DollarName '$privsep')}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2>} {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [1472 1485] ) ] ) ] ) ) ] ) ) (command.Simple words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} ) ] do_fork: T ) (command.Simple words: [{<kh_revoke>} {<host_ca_key.pub>} {<host_ca_key2.pub>}] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} ) ] do_fork: T ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) <' revoked cert'>) } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {<HostKey>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)} ) (C {<echo>} {<HostCertificate>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub> } ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2>} {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>}) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [1646 1659] ) ] ) ] ) ) (command.Simple words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} ) ] do_fork: T ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.ShFunction name: test_one body: (BraceGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ident) op: assign_op.Equal rhs: {($ Id.VSub_Number '$1')} spids: [1704] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:result) op: assign_op.Equal rhs: {($ Id.VSub_Number '$2')} spids: [1708] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:sign_opts) op: assign_op.Equal rhs: {($ Id.VSub_Number '$3')} spids: [1712] ) ] ) (command.ForEach iter_name: kt iter_words: [{<rsa>} {<ed25519>}] do_arg_iter: F body: (command.DoGroup children: [ (command.Case to_match: {($ Id.VSub_DollarName '$ktype')} arms: [ (case_arm pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}] action: [ (command.Sentence child: (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$ktype'))} spids: [1743] ) ] ) terminator: <Id.Op_Semi _> ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ca) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>)} spids: [1750] ) ] ) ] spids: [1739 1741 1756 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.Sentence child: (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ )} spids: [1762] ) ] ) terminator: <Id.Op_Semi _> ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ca) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>)} spids: [1767] ) ] ) ] spids: [1759 1760 1773 -1] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$ca')} {($ Id.VSub_DollarName '$tflag')} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} {($ Id.VSub_DollarName '$sign_opts')} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)} ) (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name kt))}) ] ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {<HostKey>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)} ) (C {<echo>} {<HostCertificate>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt) <-cert.pub> } ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2>} {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [1907] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ <x> ($ Id.VSub_DollarName '$result'))} {<Id.Lit_Equals '='>} {(DQ <xsuccess>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$rc')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$ident') <' failed unexpectedly'> ) } ) ] spids: [1933 1946] ) ] ) ] spids: [1911 1930] ) ] else_action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$rc')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$ident') <' succeeded unexpectedly'> ) } ) ] spids: [1964 1977] ) ] ) ] ) ] ) ) ] ) ) (C {<test_one>} {(DQ <user-certificate>)} {<failure>} {(DQ <'-n '> ($ Id.VSub_DollarName '$HOSTS'))}) (C {<test_one>} {(DQ <'empty principals'>)} {<success>} {(DQ <-h>)}) (C {<test_one>} {(DQ <'wrong principals'>)} {<failure>} {(DQ <'-h -n foo'>)}) (C {<test_one>} {(DQ <'cert not yet valid'>)} {<failure>} {(DQ <'-h -V20200101:20300101'>)}) (C {<test_one>} {(DQ <'cert expired'>)} {<failure>} {(DQ <'-h -V19800101:19900101'>)}) (C {<test_one>} {(DQ <'cert valid interval'>)} {<success>} {(DQ <'-h -V-1w:+2w'>)}) (C {<test_one>} {(DQ <'cert has constraints'>)} {<failure>} {(DQ <'-h -Oforce-command=false'>)}) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>} ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) <' '> (${ Id.VSub_Name v) <' cert downgrade to raw key'> ) } ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {(${ Id.VSub_Name ktype)} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)} ) (C {<fail>} {(DQ <'ssh-keygen of cert_host_key_'> (${ Id.VSub_Name ktype) <' failed'>)}) ] ) (command.Case to_match: {($ Id.VSub_DollarName '$ktype')} arms: [ (case_arm pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}] action: [ (command.Sentence child: (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$ktype'))} spids: [2185] ) ] ) terminator: <Id.Op_Semi _> ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ca) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>)} spids: [2192] ) ] ) ] spids: [2181 2183 2198 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.Sentence child: (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ )} spids: [2204] ) ] ) terminator: <Id.Op_Semi _> ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ca) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>)} spids: [2209] ) ] ) ] spids: [2201 2202 2215 -1] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-h>} {<-q>} {($ Id.VSub_DollarName '$tflag')} {<-s>} {($ Id.VSub_DollarName '$ca')} {($ Id.VSub_DollarName '$tflag')} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} {<-n>} {($ Id.VSub_DollarName '$HOSTS')} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)} ) (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name ktype))}) ] ) (command.Subshell child: (command.CommandList children: [ (C {<printf>} {(DQ ($ Id.VSub_DollarName '$HOSTS') <' '>)}) (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>} ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) ] ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {<HostKey>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)} ) (C {<echo>} {<HostCertificate>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub> } ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {(${ Id.VSub_Name SSH)} {<-2>} {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [2371 2384] ) ] ) ] ) ) (command.Simple words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} ) ] do_fork: T ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.ForEach iter_name: kt iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name kt) <' connect wrong cert'> ) } ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>}) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {(${ Id.VSub_Name kt)} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)} ) (C {<fail>} {(DQ <'ssh-keygen of cert_host_key_'> (${ Id.VSub_Name kt) <' failed'>)}) ] ) (command.Case to_match: {($ Id.VSub_DollarName '$kt')} arms: [ (case_arm pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$kt'))} spids: [2510] ) ] ) ] spids: [2506 2508 2516 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ )} spids: [2522] ) ] ) ] spids: [2519 2520 2526 -1] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {($ Id.VSub_DollarName '$tflag')} {<-h>} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} {<-n>} {($ Id.VSub_DollarName '$HOSTS')} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)} ) (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name kt))}) ] ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {<HostKey>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)} ) (C {<echo>} {<HostCertificate>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt) <-cert.pub> } ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2>} {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<-q>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>}) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$ident') <' succeeded unexpectedly'> ) } ) ] spids: [2672 2685] ) ] ) ] ) ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>} ) ] )