(command.CommandList children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tid) op: assign_op.Equal rhs: {(DQ <'restrict pubkey type'>)} spids: [7] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/user_key'> <Id.Lit_Star '*'>} ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>} ) (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.orig'>} ) (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy.orig'>} ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} ) (C {<fatal>} {(DQ <'ssh-keygen failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} ) (C {<fatal>} {(DQ <'ssh-keygen failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} ) (C {<fatal>} {(DQ <'ssh-keygen failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>} ) (C {<fatal>} {(DQ <'ssh-keygen failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<dsa>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_key4'>} ) (C {<fatal>} {(DQ <'ssh-keygen failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} {(${ Id.VSub_Name USER) <Id.Lit_Comma ','> <mekmitasdigoat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>} ) (C {<fatal>} {(DQ <'couldn\'t sign user_key1'>)}) ] ) (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/user_key3-cert.pub'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key3.pub'>} ) (command.Simple words: [{<grep>} {<-v>} {<IdentityFile>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy.orig'>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} ) ] do_fork: T ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:opts) op: assign_op.Equal rhs: { (DQ <'-oProtocol=2 -F '> ($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy -oIdentitiesOnly=yes'> ) } spids: [289] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:certopts) op: assign_op.Equal rhs: { (DQ ($ Id.VSub_DollarName '$opts') <' -i '> ($ Id.VSub_DollarName '$OBJ') <'/user_key3 -oCertificateFile='> ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key3.pub'> ) } spids: [296] ) ] ) (command.Simple words: [{<echo>} {<mekmitasdigoat>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')} ) ] do_fork: T ) (command.Simple words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1.pub'>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} ) ] do_fork: T ) (command.Simple words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2.pub'>}] redirects: [ (redir op: <Id.Redir_DGreat '>>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} ) ] do_fork: T ) (command.ShFunction name: prepare_config body: (BraceGroup children: [ (command.Subshell child: (command.CommandList children: [ (C {<grep>} {<-v>} {(DQ <Protocol>)} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.orig'>} ) (C {<echo>} {(DQ <'Protocol 2'>)}) (C {<echo>} {(DQ <'AuthenticationMethods publickey'>)}) (C {<echo>} {(DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>)} ) (C {<echo>} { (DQ <'AuthorizedPrincipalsFile '> ($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_%u'> ) } ) (command.ForEach iter_name: x iter_words: [{(DQ ($ Id.VSub_At '$@'))}] do_arg_iter: F body: (command.DoGroup children: [(C {<echo>} {(DQ ($ Id.VSub_DollarName '$x'))})] ) ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) ] ) ) (C {<prepare_config>}) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>}) (C {<fatal>} {(DQ <'cert failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key1 failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key2 failed'>)}) ] ) (C {<verbose>} {(DQ <'allow rsa,ed25519'>)}) (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519'>)}) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>}) (C {<fatal>} {(DQ <'cert succeeded'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key1 failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key2 failed'>)}) ] ) (C {<verbose>} {(DQ <'allow ed25519'>)}) (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-ed25519'>)}) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>}) (C {<fatal>} {(DQ <'cert succeeded'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key1 failed'>)}) ] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key2 succeeded'>)}) ] ) (C {<verbose>} {(DQ <'allow cert only'>)}) (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com'>)}) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>}) (C {<fatal>} {(DQ <'cert failed'>)}) ] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key1 succeeded'>)}) ] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key2 succeeded'>)}) ] ) (C {<verbose>} {(DQ <'match w/ no match'>)}) (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-rsa'>)} {(DQ <'Match user x'> ($ Id.VSub_DollarName '$USER'))} {(DQ <'PubkeyAcceptedKeyTypes +ssh-ed25519'>)} ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>}) (C {<fatal>} {(DQ <'cert succeeded'>)}) ] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key1 succeeded'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key2 failed'>)}) ] ) (C {<verbose>} {(DQ <'match w/ matching'>)}) (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-dss'>)} {(DQ <'Match user '> ($ Id.VSub_DollarName '$USER'))} {(DQ <'PubkeyAcceptedKeyTypes +ssh-ed25519'>)} ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>}) (C {<fatal>} {(DQ <'cert failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key1 failed'>)}) ] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} {($ Id.VSub_DollarName '$OBJ') <'/user_key4'>} {<proxy>} {<true>} ) (C {<fatal>} {(DQ <'key4 succeeded'>)}) ] ) ] )