(command.CommandList children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tid) op: assign_op.Equal rhs: {(DQ <'certified user keys'>)} spids: [7] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>} ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>} ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy_bak'>} ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:PLAIN_TYPES) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {($ Id.VSub_DollarName '$SSH')} {<-Q>} {<key-plain>}) (C {<sed>} {(SQ <'s/^ssh-dss/ssh-dsa/;s/^ssh-//'>)}) ] negated: F ) ) } spids: [46] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {<echo>} {(DQ ($ Id.VSub_DollarName '$PLAIN_TYPES'))}) (command.Simple words: [{<grep>} {(SQ <'^rsa$'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) ] negated: F ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:PLAIN_TYPES) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$PLAIN_TYPES') <' rsa-sha2-256 rsa-sha2-512'>)} spids: [93] ) ] ) ] spids: [66 90] ) ] ) (command.ShFunction name: kname body: (BraceGroup children: [ (command.Case to_match: {($ Id.VSub_DollarName '$ktype')} arms: [ (case_arm pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}] spids: [116 118 120 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:n) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_DollarParen '$('> child: (command.Pipeline children: [ (C {<echo>} {($ Id.VSub_Number '$1')}) (C {<sed>} {(SQ <'s/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'>)} ) ] negated: F ) ) } spids: [130] ) ] ) ] spids: [127 128 145 -1] ) ] ) (C {<echo>} {(DQ ($ Id.VSub_DollarName '$n') <'*,ssh-rsa*,ssh-ed25519*'>)}) ] ) ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} ) (C {<fail>} {(DQ <'ssh-keygen of user_ca_key failed'>)}) ] ) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')} {($ Id.VSub_DollarName '$EXTRA_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} {(DQ ($ Id.VSub_DollarName '$tid') <': sign user '> (${ Id.VSub_Name ktype) <' cert'>)} ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {(${ Id.VSub_Name ktype)} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} ) (C {<fatal>} {(DQ <'ssh-keygen of cert_user_key_'> (${ Id.VSub_Name ktype) <' failed'>)}) ] ) (command.Case to_match: {($ Id.VSub_DollarName '$ktype')} arms: [ (case_arm pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$ktype'))} spids: [281] ) ] ) ] spids: [277 279 287 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tflag) op: assign_op.Equal rhs: {(DQ )} spids: [293] ) ] ) ] spids: [290 291 297 -1] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} {<-z>} {($ Id.VSub_Dollar '$$')} {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-n>} {(${ Id.VSub_Name USER) <Id.Lit_Comma ','> <mekmitasdigoat>} {($ Id.VSub_DollarName '$tflag')} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} ) (C {<fatal>} {(DQ <'couldn\'t sign cert_user_key_'> (${ Id.VSub_Name ktype))}) ] ) ] ) ) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$EXTRA_TYPES')} {($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:t) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_DollarParen '$('> child: (C {<kname>} {($ Id.VSub_DollarName '$ktype')}) ) } spids: [379] ) ] ) (command.ForEach iter_name: privsep iter_words: [{<yes>} {<no>}] do_arg_iter: F body: (command.DoGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:_prefix) op: assign_op.Equal rhs: { (DQ (${ Id.VSub_Name ktype) <' privsep '> ($ Id.VSub_DollarName '$privsep') ) } spids: [402] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {(DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep'))} ) (C {<echo>} {(DQ <'AuthorizedPrincipalsFile '>)} {(DQ ($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_%u'>)} ) (C {<echo>} { (DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'> ) } ) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy_bak'>}) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' missing authorized_principals'> ) } ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [567 580] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' empty authorized_principals'> ) } ) (command.Simple words: [{<echo>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [649 662] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' wrong authorized_principals'> ) } ) (command.Simple words: [{<echo>} {<gregorsamsa>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [733 746] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' correct authorized_principals'> ) } ) (command.Simple words: [{<echo>} {<mekmitasdigoat>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [817 830] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' authorized_principals bad key opt'> ) } ) (command.Simple words: [{<echo>} {(SQ <'blah mekmitasdigoat'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [903 916] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' authorized_principals command=false'> ) } ) (command.Simple words: [{<echo>} {(SQ <'command="false" mekmitasdigoat'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [991 1004] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' authorized_principals command=true'> ) } ) (command.Simple words: [{<echo>} {(SQ <'command="true" mekmitasdigoat'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<false>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [1080 1093] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {(DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep'))} ) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy_bak'>}) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' wrong principals key option'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<printf>} {(SQ <'cert-authority,principals="gregorsamsa" '>)}) (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [1254 1267] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' correct principals key option'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<printf>} {(SQ <'cert-authority,principals="mekmitasdigoat" '>)}) (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [1352 1365] ) ] ) ] ) ) ] ) ) (command.ShFunction name: basic_tests body: (BraceGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:auth) op: assign_op.Equal rhs: {($ Id.VSub_Number '$1')} spids: [1390] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<test>} {(DQ <x> ($ Id.VSub_DollarName '$auth'))} {<Id.Lit_Equals '='>} {(DQ <xauthorized_keys>)} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.Subshell child: (command.CommandList children: [ (C {<printf>} {(SQ <'cert-authority '>)}) (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] ) ] spids: [1394 1411] ) ] else_action: [ (command.Simple words: [{<echo>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:extra_sshd) op: assign_op.Equal rhs: { (DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>) } spids: [1455] ) ] ) ] ) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:t) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_DollarParen '$('> child: (C {<kname>} {($ Id.VSub_DollarName '$ktype')}) ) } spids: [1480] ) ] ) (command.ForEach iter_name: privsep iter_words: [{<yes>} {<no>}] do_arg_iter: F body: (command.DoGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:_prefix) op: assign_op.Equal rhs: { (DQ (${ Id.VSub_Name ktype) <' privsep '> ($ Id.VSub_DollarName '$privsep') <' '> ($ Id.VSub_DollarName '$auth') ) } spids: [1503] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' connect'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} { (DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep') ) } ) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) (C {<echo>} {(DQ ($ Id.VSub_DollarName '$extra_sshd'))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy_bak'>}) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} ) ] ) (C {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype) } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [1625 1638] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' revoked key'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} { (DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep') ) } ) (C {<echo>} { (DQ <'RevokedKeys '> ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_revoked'> ) } ) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) (C {<echo>} {(DQ ($ Id.VSub_DollarName '$extra_sshd'))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype) <.pub> } {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_revoked'>} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype) } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} {(DQ <'ssh cert connect succeeded unexpecedly'>)}) ] spids: [1764 1777] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' revoked via KRL'> ) } ) (C {<rm>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_revoked'>}) (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kqf>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_revoked'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype) <.pub>} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype) } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} {(DQ <'ssh cert connect succeeded unexpecedly'>)}) ] spids: [1857 1870] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' empty KRL'> ) } ) (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kqf>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_revoked'>} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype) } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [1935 1948] ) ] ) ] ) ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name ktype) <' '> ($ Id.VSub_DollarName '$auth') <' revoked CA key'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} { (DQ <'RevokedKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>) } ) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) (C {<echo>} {(DQ ($ Id.VSub_DollarName '$extra_sshd'))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpecedly'>)})] spids: [2056 2069] ) ] ) ] ) ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> ($ Id.VSub_DollarName '$auth') <' CA does not authenticate'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t))}) (C {<echo>} {(DQ ($ Id.VSub_DollarName '$extra_sshd'))}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<verbose>} {(DQ ($ Id.VSub_DollarName '$tid') <': ensure CA key does not authenticate user'>)} ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>}) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect with CA key succeeded unexpectedly'>)})] spids: [2165 2178] ) ] ) ] ) ) (C {<basic_tests>} {<authorized_keys>}) (C {<basic_tests>} {<TrustedUserCAKeys>}) (command.ShFunction name: test_one body: (BraceGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:ident) op: assign_op.Equal rhs: {($ Id.VSub_Number '$1')} spids: [2209] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:result) op: assign_op.Equal rhs: {($ Id.VSub_Number '$2')} spids: [2213] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:sign_opts) op: assign_op.Equal rhs: {($ Id.VSub_Number '$3')} spids: [2217] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:auth_choice) op: assign_op.Equal rhs: {($ Id.VSub_Number '$4')} spids: [2221] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:auth_opt) op: assign_op.Equal rhs: {($ Id.VSub_Number '$5')} spids: [2225] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<test>} {(DQ <x> ($ Id.VSub_DollarName '$auth_choice'))} {<Id.Lit_Equals '='>} {(DQ <x>)} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:auth_choice) op: assign_op.Equal rhs: {(DQ <'authorized_keys TrustedUserCAKeys'>)} spids: [2250] ) ] ) ] spids: [2230 2247] ) ] ) (command.ForEach iter_name: auth iter_words: [{($ Id.VSub_DollarName '$auth_choice')}] do_arg_iter: F body: (command.DoGroup children: [ (command.ForEach iter_name: ktype iter_words: [{<rsa>} {<ed25519>}] do_arg_iter: F body: (command.DoGroup children: [ (command.Simple words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<test>} {(DQ <x> ($ Id.VSub_DollarName '$auth'))} {<Id.Lit_Equals '='>} {(DQ <xauthorized_keys>)} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.Subshell child: (command.CommandList children: [ (C {<printf>} {(DQ <cert-authority> (${ Id.VSub_Name auth_opt) <' '>)} ) (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>} ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] ) ] spids: [2299 2316] ) ] else_action: [ (command.Simple words: [{<echo>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {<echo>} { (DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'> ) } ] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] do_fork: T ) (command.Simple words: [ {<echo>} {(DQ <'PubkeyAcceptedKeyTypes '> (${ Id.VSub_Name t) <'*'>)} ] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<test>} {(DQ <x> ($ Id.VSub_DollarName '$auth_opt'))} {<Id.KW_Bang '!'> <Id.Lit_Equals '='>} {(DQ <x>)} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.Simple words: [{<echo>} {($ Id.VSub_DollarName '$auth_opt')}] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] do_fork: T ) ] spids: [2398 2416] ) ] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> ($ Id.VSub_DollarName '$ident') <' auth '> ($ Id.VSub_DollarName '$auth') <' expect '> ($ Id.VSub_DollarName '$result') <' '> ($ Id.VSub_DollarName '$ktype') ) } ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {($ Id.VSub_DollarName '$sign_opts')} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} ) (C {<fail>} {(DQ <'couldn\'t sign cert_user_key_'> (${ Id.VSub_Name ktype))} ) ] ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype) } {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [2525] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ <x> ($ Id.VSub_DollarName '$result'))} {<Id.Lit_Equals '='>} {(DQ <xsuccess>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$rc')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ ($ Id.VSub_DollarName '$ident') <' failed unexpectedly'> ) } ) ] spids: [2551 2564] ) ] ) ] spids: [2529 2548] ) ] else_action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$rc')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ ($ Id.VSub_DollarName '$ident') <' succeeded unexpectedly'> ) } ) ] spids: [2581 2594] ) ] ) ] ) ] ) ) ] ) ) ] ) ) (C {<test_one>} {(DQ <'correct principal'>)} {<success>} {(DQ <'-n '> (${ Id.VSub_Name USER))}) (C {<test_one>} {(DQ <host-certificate>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -h'>)}) (C {<test_one>} {(DQ <'wrong principals'>)} {<failure>} {(DQ <'-n foo'>)}) (C {<test_one>} {(DQ <'cert not yet valid'>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -V20200101:20300101'>)} ) (C {<test_one>} {(DQ <'cert expired'>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -V19800101:19900101'>)} ) (C {<test_one>} {(DQ <'cert valid interval'>)} {<success>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -V-1w:+2w'>)} ) (C {<test_one>} {(DQ <'wrong source-address'>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -Osource-address=10.0.0.0/8'>)} ) (C {<test_one>} {(DQ <force-command>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -Oforce-command=false'>)} ) (C {<test_one>} {(DQ <'empty principals'>)} {<success>} {(DQ )} {<authorized_keys>}) (C {<test_one>} {(DQ <'empty principals'>)} {<failure>} {(DQ )} {<TrustedUserCAKeys>}) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} ) (command.Simple words: [{<echo>} {<mekmitasdigoat>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')} ) ] do_fork: T ) (C {<test_one>} {(DQ <'AuthorizedPrincipalsFile principals'>)} {<success>} {(DQ <'-n mekmitasdigoat'>)} {<TrustedUserCAKeys>} {(DQ <'AuthorizedPrincipalsFile '> ($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_%u'>)} ) (C {<test_one>} {(DQ <'AuthorizedPrincipalsFile no principals'>)} {<failure>} {(DQ )} {<TrustedUserCAKeys>} {(DQ <'AuthorizedPrincipalsFile '> ($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_%u'>)} ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')} ) (C {<test_one>} {(DQ <'principals key option principals'>)} {<success>} {(DQ <'-n mekmitasdigoat'>)} {<authorized_keys>} {(SQ <',principals="mekmitasdigoat"'>)} ) (C {<test_one>} {(DQ <'principals key option no principals'>)} {<failure>} {(DQ )} {<authorized_keys>} {(SQ <',principals="mekmitasdigoat"'>)} ) (C {<test_one>} {(DQ <'force-command match true'>)} {<success>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -Oforce-command=true'>)} {<authorized_keys>} {(SQ <',command="true"'>)} ) (C {<test_one>} {(DQ <'force-command match true'>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -Oforce-command=false'>)} {<authorized_keys>} {(SQ <',command="false"'>)} ) (C {<test_one>} {(DQ <'force-command mismatch 1'>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -Oforce-command=false'>)} {<authorized_keys>} {(SQ <',command="true"'>)} ) (C {<test_one>} {(DQ <'force-command mismatch 2'>)} {<failure>} {(DQ <'-n '> (${ Id.VSub_Name USER) <' -Oforce-command=true'>)} {<authorized_keys>} {(SQ <',command="false"'>)} ) (command.Simple words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] do_fork: T ) (command.ForEach iter_name: ktype iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}] do_arg_iter: F body: (command.DoGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:t) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_DollarParen '$('> child: (C {<kname>} {($ Id.VSub_DollarName '$ktype')}) ) } spids: [3030] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-n>} {($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} ) (C {<fatal>} {(DQ <'couldn\'t sign cert_user_key_'> (${ Id.VSub_Name ktype))}) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': user '> (${ Id.VSub_Name ktype) <' connect wrong cert'> ) } ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key_'> (${ Id.VSub_Name ktype)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>}) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$ident') <' succeeded unexpectedly'> ) } ) ] spids: [3132 3145] ) ] ) ] ) ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>} ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')} ) ] )