(command.CommandList children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tid) op: assign_op.Equal rhs: {(DQ <'authorized keys from command'>)} spids: [7] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-z>} {(DQ ($ Id.VSub_DollarName '$SUDO'))} {<-a>} {<Id.KW_Bang '!'>} {<-w>} {<'/var/run'>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<echo>} {(DQ <'skipped (SUDO not set)'>)}) (C {<echo>} {(DQ <'need SUDO to create file in /var/run, test won\'t work without'>)}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] spids: [13 34] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/keys-command-args'>}) (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/keys-command-args'>}) (C {<chmod>} {<a> <Id.Lit_Other '+'> <rw>} {($ Id.VSub_DollarName '$OBJ') <'/keys-command-args'>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:expected_key_text) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Simple words: [{<awk>} {(SQ <'{ print $2 }'>)}] redirects: [ (redir op: <Id.Redir_Less '<'> loc: (redir_loc.Fd fd:0) arg: {($ Id.VSub_DollarName '$OBJ') <'/rsa.pub'>} ) ] do_fork: T ) ) } spids: [81] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:expected_key_fp) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {($ Id.VSub_DollarName '$SSHKEYGEN')} {<-lf>} {($ Id.VSub_DollarName '$OBJ') <'/rsa.pub'>} ) (C {<awk>} {(SQ <'{ print $2 }'>)}) ] negated: F ) ) } spids: [97] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:KEY_COMMAND) op: assign_op.Equal rhs: {(DQ <'/var/run/keycommand_'> (${ Id.VSub_Name LOGNAME))} spids: [124] ) ] ) (command.Pipeline children: [ (command.Simple words: [{<cat>}] redirects: [ (redir op: <Id.Redir_DLess '<<'> loc: (redir_loc.Fd fd:0) arg: (redir_param.HereDoc here_begin: {<_EOF>} here_end_span_id: 257 stdin_parts: [ <'#!/bin/sh\n'> <'echo args: '> <Id.Right_DoubleQuote '"'> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <'@'> <Id.Right_DoubleQuote '"'> <' >> '> ($ Id.VSub_DollarName '$OBJ') <'/keys-command-args\n'> <'echo '> <Id.Right_DoubleQuote '"'> ($ Id.VSub_DollarName '$PATH') <Id.Right_DoubleQuote '"'> <' | grep -q mekmitasdigoat && exit 7\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <1> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name LOGNAME) <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'if test '> ($ Id.VSub_Pound '$#') <' -eq 6 ; then\n'> <'\ttest '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <2> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <xblah> <Id.Right_DoubleQuote '"'> <' && exit 2\n'> <'\ttest '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <3> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name expected_key_text) <Id.Right_DoubleQuote '"'> <' && exit 3\n'> <'\ttest '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <4> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <xssh-rsa> <Id.Right_DoubleQuote '"'> <' && exit 4\n'> <'\ttest '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <5> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name expected_key_fp) <Id.Right_DoubleQuote '"'> <' && exit 5\n'> <'\ttest '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <6> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <xblah> <Id.Right_DoubleQuote '"'> <' && exit 6\n'> <'fi\n'> <'exec cat '> <Id.Right_DoubleQuote '"'> ($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> (${ Id.VSub_Name LOGNAME) <Id.Right_DoubleQuote '"'> <'\n'> ] ) ) ] do_fork: T ) (C {($ Id.VSub_DollarName '$SUDO')} {<sh>} {<-c>} { (DQ <'rm -f \''> ($ Id.VSub_DollarName '$KEY_COMMAND') <'\' ; cat > \''> ($ Id.VSub_DollarName '$KEY_COMMAND') <'\''> ) } ) ] negated: F ) (C {($ Id.VSub_DollarName '$SUDO')} {<chmod>} {<0755>} {(DQ ($ Id.VSub_DollarName '$KEY_COMMAND'))}) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {($ Id.VSub_DollarName '$OBJ') <'/check-perm'>} {<-m>} {<keys-command>} {($ Id.VSub_DollarName '$KEY_COMMAND')} ) ] negated: T ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<echo>} { (DQ <'skipping: '> ($ Id.VSub_DollarName '$KEY_COMMAND') <' is unsuitable as AuthorizedKeysCommand'> ) } ) (C {($ Id.VSub_DollarName '$SUDO')} {<rm>} {<-f>} {($ Id.VSub_DollarName '$KEY_COMMAND')}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] spids: [269 284] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-x>} {($ Id.VSub_DollarName '$KEY_COMMAND')} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.bak'>} ) (C {<verbose>} {(DQ <'AuthorizedKeysCommand with arguments'>)}) (command.Subshell child: (command.CommandList children: [ (C {<grep>} {<-vi>} {<AuthorizedKeysFile>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.bak'>} ) (C {<echo>} {<AuthorizedKeysFile>} {<none>}) (C {<echo>} {<AuthorizedKeysCommand>} {($ Id.VSub_DollarName '$KEY_COMMAND')} {<Id.Lit_Other '%'> <u>} {<blah>} {<Id.Lit_Other '%'> <k>} {<Id.Lit_Other '%'> <t>} {<Id.Lit_Other '%'> <f>} {<blah>} ) (C {<echo>} {<AuthorizedKeysCommandUser>} {(${ Id.VSub_Name LOGNAME)}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<env>} {<Id.Lit_VarLike 'PATH='> ($ Id.VSub_DollarName '$PATH') <Id.Lit_Colon ':'> <'/sbin/mekmitasdigoat'> } {(${ Id.VSub_Name SSH)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'connect failed'>)})] spids: [431 444] ) ] ) (C {<verbose>} {(DQ <'AuthorizedKeysCommand without arguments'>)}) (command.Subshell child: (command.CommandList children: [ (C {<grep>} {<-vi>} {<AuthorizedKeysFile>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.bak'>} ) (C {<echo>} {<AuthorizedKeysFile>} {<none>}) (C {<echo>} {<AuthorizedKeysCommand>} {($ Id.VSub_DollarName '$KEY_COMMAND')}) (C {<echo>} {<AuthorizedKeysCommandUser>} {(${ Id.VSub_Name LOGNAME)}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<env>} {<Id.Lit_VarLike 'PATH='> ($ Id.VSub_DollarName '$PATH') <Id.Lit_Colon ':'> <'/sbin/mekmitasdigoat'> } {(${ Id.VSub_Name SSH)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'connect failed'>)})] spids: [541 554] ) ] ) ] spids: [312 323] ) ] else_action: [ (C {<echo>} { (DQ <'SKIPPED: '> ($ Id.VSub_DollarName '$KEY_COMMAND') <' not executable (/var/run mounted noexec?)'> ) } ) ] ) (C {($ Id.VSub_DollarName '$SUDO')} {<rm>} {<-f>} {($ Id.VSub_DollarName '$KEY_COMMAND')}) ] )