(command.CommandList
  children: [
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:tid)
          op: assign_op.Equal
          rhs: {(DQ <'authorized keys from command'>)}
          spids: [7]
        )
      ]
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {<-z>} {(DQ ($ Id.VSub_DollarName '$SUDO'))} {<-a>} 
                      {<Id.KW_Bang '!'>} {<-w>} {<'/var/run'>} {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (C {<echo>} {(DQ <'skipped (SUDO not set)'>)})
            (C {<echo>} {(DQ <'need SUDO to create file in /var/run, test won\'t work without'>)})
            (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>})
          ]
          spids: [13 34]
        )
      ]
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/keys-command-args'>})
    (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/keys-command-args'>})
    (C {<chmod>} {<a> <Id.Lit_Other '+'> <rw>} {($ Id.VSub_DollarName '$OBJ') <'/keys-command-args'>})
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:expected_key_text)
          op: assign_op.Equal
          rhs: 
            {
              (command_sub
                left_token: <Id.Left_Backtick '`'>
                child: 
                  (command.Simple
                    words: [{<awk>} {(SQ <'{ print $2 }'>)}]
                    redirects: [
                      (redir
                        op: <Id.Redir_Less '<'>
                        loc: (redir_loc.Fd fd:0)
                        arg: {($ Id.VSub_DollarName '$OBJ') <'/rsa.pub'>}
                      )
                    ]
                    do_fork: T
                  )
              )
            }
          spids: [81]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:expected_key_fp)
          op: assign_op.Equal
          rhs: 
            {
              (command_sub
                left_token: <Id.Left_Backtick '`'>
                child: 
                  (command.Pipeline
                    children: [
                      (C {($ Id.VSub_DollarName '$SSHKEYGEN')} {<-lf>} 
                        {($ Id.VSub_DollarName '$OBJ') <'/rsa.pub'>}
                      )
                      (C {<awk>} {(SQ <'{ print $2 }'>)})
                    ]
                    negated: F
                  )
              )
            }
          spids: [97]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:KEY_COMMAND)
          op: assign_op.Equal
          rhs: {(DQ <'/var/run/keycommand_'> (${ Id.VSub_Name LOGNAME))}
          spids: [124]
        )
      ]
    )
    (command.Pipeline
      children: [
        (command.Simple
          words: [{<cat>}]
          redirects: [
            (redir
              op: <Id.Redir_DLess '<<'>
              loc: (redir_loc.Fd fd:0)
              arg: 
                (redir_param.HereDoc
                  here_begin: {<_EOF>}
                  here_end_span_id: 257
                  stdin_parts: [
                    <'#!/bin/sh\n'>
                    <'echo args: '>
                    <Id.Right_DoubleQuote '"'>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <'@'>
                    <Id.Right_DoubleQuote '"'>
                    <' >> '>
                    ($ Id.VSub_DollarName '$OBJ')
                    <'/keys-command-args\n'>
                    <'echo '>
                    <Id.Right_DoubleQuote '"'>
                    ($ Id.VSub_DollarName '$PATH')
                    <Id.Right_DoubleQuote '"'>
                    <' | grep -q mekmitasdigoat && exit 7\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <1>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name LOGNAME)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'if test '>
                    ($ Id.VSub_Pound '$#')
                    <' -eq 6 ; then\n'>
                    <'\ttest '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <2>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <xblah>
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 2\n'>
                    <'\ttest '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <3>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name expected_key_text)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 3\n'>
                    <'\ttest '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <4>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <xssh-rsa>
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 4\n'>
                    <'\ttest '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <5>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name expected_key_fp)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 5\n'>
                    <'\ttest '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <6>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <xblah>
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 6\n'>
                    <'fi\n'>
                    <'exec cat '>
                    <Id.Right_DoubleQuote '"'>
                    ($ Id.VSub_DollarName '$OBJ')
                    <'/authorized_keys_'>
                    (${ Id.VSub_Name LOGNAME)
                    <Id.Right_DoubleQuote '"'>
                    <'\n'>
                  ]
                )
            )
          ]
          do_fork: T
        )
        (C {($ Id.VSub_DollarName '$SUDO')} {<sh>} {<-c>} 
          {
            (DQ <'rm -f \''> ($ Id.VSub_DollarName '$KEY_COMMAND') <'\' ; cat > \''> 
              ($ Id.VSub_DollarName '$KEY_COMMAND') <'\''>
            )
          }
        )
      ]
      negated: F
    )
    (C {($ Id.VSub_DollarName '$SUDO')} {<chmod>} {<0755>} {(DQ ($ Id.VSub_DollarName '$KEY_COMMAND'))})
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (command.Pipeline
                      children: [
                        (C {($ Id.VSub_DollarName '$OBJ') <'/check-perm'>} {<-m>} {<keys-command>} 
                          {($ Id.VSub_DollarName '$KEY_COMMAND')}
                        )
                      ]
                      negated: T
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (C {<echo>} 
              {
                (DQ <'skipping: '> ($ Id.VSub_DollarName '$KEY_COMMAND') 
                  <' is unsuitable as AuthorizedKeysCommand'>
                )
              }
            )
            (C {($ Id.VSub_DollarName '$SUDO')} {<rm>} {<-f>} {($ Id.VSub_DollarName '$KEY_COMMAND')})
            (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>})
          ]
          spids: [269 284]
        )
      ]
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {<-x>} {($ Id.VSub_DollarName '$KEY_COMMAND')} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} 
              {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.bak'>}
            )
            (C {<verbose>} {(DQ <'AuthorizedKeysCommand with arguments'>)})
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<grep>} {<-vi>} {<AuthorizedKeysFile>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.bak'>}
                    )
                    (C {<echo>} {<AuthorizedKeysFile>} {<none>})
                    (C {<echo>} {<AuthorizedKeysCommand>} {($ Id.VSub_DollarName '$KEY_COMMAND')} 
                      {<Id.Lit_Other '%'> <u>} {<blah>} {<Id.Lit_Other '%'> <k>} {<Id.Lit_Other '%'> <t>} {<Id.Lit_Other '%'> <f>} {<blah>}
                    )
                    (C {<echo>} {<AuthorizedKeysCommandUser>} {(${ Id.VSub_Name LOGNAME)})
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                )
              ]
            )
            (C {<env>} 
              {<Id.Lit_VarLike 'PATH='> ($ Id.VSub_DollarName '$PATH') <Id.Lit_Colon ':'> 
                <'/sbin/mekmitasdigoat'>
              } {(${ Id.VSub_Name SSH)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>}
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                              {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [(C {<fail>} {(DQ <'connect failed'>)})]
                  spids: [431 444]
                )
              ]
            )
            (C {<verbose>} {(DQ <'AuthorizedKeysCommand without arguments'>)})
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<grep>} {<-vi>} {<AuthorizedKeysFile>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.bak'>}
                    )
                    (C {<echo>} {<AuthorizedKeysFile>} {<none>})
                    (C {<echo>} {<AuthorizedKeysCommand>} {($ Id.VSub_DollarName '$KEY_COMMAND')})
                    (C {<echo>} {<AuthorizedKeysCommandUser>} {(${ Id.VSub_Name LOGNAME)})
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                )
              ]
            )
            (C {<env>} 
              {<Id.Lit_VarLike 'PATH='> ($ Id.VSub_DollarName '$PATH') <Id.Lit_Colon ':'> 
                <'/sbin/mekmitasdigoat'>
              } {(${ Id.VSub_Name SSH)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>}
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                              {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [(C {<fail>} {(DQ <'connect failed'>)})]
                  spids: [541 554]
                )
              ]
            )
          ]
          spids: [312 323]
        )
      ]
      else_action: [
        (C {<echo>} 
          {
            (DQ <'SKIPPED: '> ($ Id.VSub_DollarName '$KEY_COMMAND') 
              <' not executable (/var/run mounted noexec?)'>
            )
          }
        )
      ]
    )
    (C {($ Id.VSub_DollarName '$SUDO')} {<rm>} {<-f>} {($ Id.VSub_DollarName '$KEY_COMMAND')})
  ]
)