(command.CommandList children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tid) op: assign_op.Equal rhs: {(DQ <'key options'>)} spids: [7] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:origkeys) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/authkeys_orig'>)} spids: [13] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:authkeys) op: assign_op.Equal rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> (${ Id.VSub_Name USER))} spids: [19] ) ] ) (C {<cp>} {($ Id.VSub_DollarName '$authkeys')} {($ Id.VSub_DollarName '$origkeys')}) (command.ForEach iter_name: p iter_words: [{(${ Id.VSub_Name SSH_PROTOCOLS)}] do_arg_iter: F body: (command.DoGroup children: [ (command.ForEach iter_name: c iter_words: [{(SQ <'command="echo bar"'>)} {(SQ <'no-pty,command="echo bar"'>)}] do_arg_iter: F body: (command.DoGroup children: [ (command.Simple words: [ {<sed>} {(DQ <'s/.*/'> ($ Id.VSub_DollarName '$c') <' &/'>)} {($ Id.VSub_DollarName '$origkeys')} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$authkeys')} ) ] do_fork: T ) (C {<verbose>} { (DQ <'key option proto '> ($ Id.VSub_DollarName '$p') <' '> ($ Id.VSub_DollarName '$c') ) } ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:r) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (C {(${ Id.VSub_Name SSH)} {<-> ($ Id.VSub_DollarName '$p')} {<-q>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<echo>} {<foo>} ) ) } spids: [94] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ ($ Id.VSub_DollarName '$r'))} {<Id.Lit_Equals '='>} {(DQ <foo>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'key option forced command not restricted'>)})] spids: [120 137] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ ($ Id.VSub_DollarName '$r'))} {<Id.KW_Bang '!'> <Id.Lit_Equals '='>} {(DQ <bar>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'key option forced command not executed'>)})] spids: [150 168] ) ] ) ] ) ) ] ) ) (command.Simple words: [{<sed>} {(SQ <'s/.*/no-pty &/'>)} {($ Id.VSub_DollarName '$origkeys')}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$authkeys')} ) ] do_fork: T ) (command.ForEach iter_name: p iter_words: [{(${ Id.VSub_Name SSH_PROTOCOLS)}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} {(DQ <'key option proto '> ($ Id.VSub_DollarName '$p') <' no-pty'>)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:r) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (C {(${ Id.VSub_Name SSH)} {<-> ($ Id.VSub_DollarName '$p')} {<-q>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<tty>} ) ) } spids: [223] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-f>} {(DQ ($ Id.VSub_DollarName '$r'))} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'key option failed proto '> ($ Id.VSub_DollarName '$p') <' no-pty (pty '> ($ Id.VSub_DollarName '$r') <')'> ) } ) ] spids: [247 260] ) ] ) ] ) ) (command.Simple words: [{<echo>} {(SQ <'PermitUserEnvironment yes'>)}] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] do_fork: T ) (command.Simple words: [{<sed>} {(SQ <'s/.*/environment="FOO=bar" &/'>)} {($ Id.VSub_DollarName '$origkeys')}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$authkeys')} ) ] do_fork: T ) (command.ForEach iter_name: p iter_words: [{(${ Id.VSub_Name SSH_PROTOCOLS)}] do_arg_iter: F body: (command.DoGroup children: [ (C {<verbose>} {(DQ <'key option proto '> ($ Id.VSub_DollarName '$p') <' environment'>)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:r) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (C {(${ Id.VSub_Name SSH)} {<-> ($ Id.VSub_DollarName '$p')} {<-q>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {(SQ <'echo $FOO'>)} ) ) } spids: [327] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ ($ Id.VSub_DollarName '$r'))} {<Id.KW_Bang '!'> <Id.Lit_Equals '='>} {(DQ <bar>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'key option environment not set'>)})] spids: [353 371] ) ] ) ] ) ) (C {<start_sshd>}) (command.ForEach iter_name: p iter_words: [{(${ Id.VSub_Name SSH_PROTOCOLS)}] do_arg_iter: F body: (command.DoGroup children: [ (command.ForEach iter_name: f iter_words: [{<127.0.0.1>} {(SQ <'127.0.0.0\\/8'>)}] do_arg_iter: F body: (command.DoGroup children: [ (command.Simple words: [{<cat>} {($ Id.VSub_DollarName '$origkeys')}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$authkeys')} ) ] do_fork: T ) (C {(${ Id.VSub_Name SSH)} {<-> ($ Id.VSub_DollarName '$p')} {<-q>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'key option proto '> ($ Id.VSub_DollarName '$p') <' failed without restriction'> ) } ) ] spids: [448 461] ) ] ) (command.Simple words: [ {<sed>} {(SQ <'s/.*/from="'>) (DQ ($ Id.VSub_DollarName '$f')) (SQ <'" &/'>)} {($ Id.VSub_DollarName '$origkeys')} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$authkeys')} ) ] do_fork: T ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:from) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {<head>} {<-1>} {($ Id.VSub_DollarName '$authkeys')}) (C {<cut>} {<-f1>} {<-d>} {(SQ <' '>)}) ] negated: F ) ) } spids: [495] ) ] ) (C {<verbose>} { (DQ <'key option proto '> ($ Id.VSub_DollarName '$p') <' '> ($ Id.VSub_DollarName '$from') ) } ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:r) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (C {(${ Id.VSub_Name SSH)} {<-> ($ Id.VSub_DollarName '$p')} {<-q>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {(SQ <'echo true'>)} ) ) } spids: [529] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ ($ Id.VSub_DollarName '$r'))} {<Id.Lit_Equals '='>} {(DQ <true>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'key option proto '> ($ Id.VSub_DollarName '$p') <' '> ($ Id.VSub_DollarName '$from') <' not restricted'> ) } ) ] spids: [555 572] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:r) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (C {(${ Id.VSub_Name SSH)} {<-> ($ Id.VSub_DollarName '$p')} {<-q>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_config'>} {<somehost>} {(SQ <'echo true'>)} ) ) } spids: [590] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ ($ Id.VSub_DollarName '$r'))} {<Id.KW_Bang '!'> <Id.Lit_Equals '='>} {(DQ <true>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<fail>} { (DQ <'key option proto '> ($ Id.VSub_DollarName '$p') <' '> ($ Id.VSub_DollarName '$from') <' not allowed but should be'> ) } ) ] spids: [616 634] ) ] ) ] ) ) ] ) ) (C {<rm>} {<-f>} {(DQ ($ Id.VSub_DollarName '$origkeys'))}) ] )