(command.CommandList
  children: [
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:tid)
          op: assign_op.Equal
          rhs: {(DQ <'restrict pubkey type'>)}
          spids: [7]
        )
      ]
    )
    (C {<rm>} {<-f>} 
      {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/user_key'> <Id.Lit_Star '*'>}
    )
    (C {<rm>} {<-f>} 
      {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>}
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.orig'>}
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy.orig'>}
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<dsa>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key4'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} 
          {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} 
          {(${ Id.VSub_Name USER) <Id.Lit_Comma ','> <mekmitasdigoat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key3'>}
        )
        (C {<fatal>} {(DQ <'couldn\'t sign user_key1'>)})
      ]
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/user_key3-cert.pub'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key3.pub'>}
    )
    (command.Simple
      words: [{<grep>} {<-v>} {<IdentityFile>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy.orig'>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
        )
      ]
      do_fork: T
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts)
          op: assign_op.Equal
          rhs: 
            {
              (DQ <'-oProtocol=2 -F '> ($ Id.VSub_DollarName '$OBJ') 
                <'/ssh_proxy -oIdentitiesOnly=yes'>
              )
            }
          spids: [289]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:certopts)
          op: assign_op.Equal
          rhs: 
            {
              (DQ ($ Id.VSub_DollarName '$opts') <' -i '> ($ Id.VSub_DollarName '$OBJ') 
                <'/user_key3 -oCertificateFile='> ($ Id.VSub_DollarName '$OBJ') <'/cert_user_key3.pub'>
              )
            }
          spids: [296]
        )
      ]
    )
    (command.Simple
      words: [{<echo>} {<mekmitasdigoat>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: 
            {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')}
        )
      ]
      do_fork: T
    )
    (command.Simple
      words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1.pub'>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')}
        )
      ]
      do_fork: T
    )
    (command.Simple
      words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2.pub'>}]
      redirects: [
        (redir
          op: <Id.Redir_DGreat '>>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')}
        )
      ]
      do_fork: T
    )
    (command.ShFunction
      name: prepare_config
      body: 
        (BraceGroup
          children: [
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<grep>} {<-v>} {(DQ <Protocol>)} 
                      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.orig'>}
                    )
                    (C {<echo>} {(DQ <'Protocol 2'>)})
                    (C {<echo>} {(DQ <'AuthenticationMethods publickey'>)})
                    (C {<echo>} 
                      {(DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>)}
                    )
                    (C {<echo>} 
                      {
                        (DQ <'AuthorizedPrincipalsFile '> ($ Id.VSub_DollarName '$OBJ') 
                          <'/authorized_principals_%u'>
                        )
                      }
                    )
                    (command.ForEach
                      iter_name: x
                      iter_words: [{(DQ ($ Id.VSub_At '$@'))}]
                      do_arg_iter: F
                      body: 
                        (command.DoGroup
                          children: [(C {<echo>} {(DQ ($ Id.VSub_DollarName '$x'))})]
                        )
                    )
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                )
              ]
            )
          ]
        )
    )
    (C {<prepare_config>})
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>})
        (C {<fatal>} {(DQ <'cert failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key1 failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key2 failed'>)})
      ]
    )
    (C {<verbose>} {(DQ <'allow rsa,ed25519'>)})
    (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519'>)})
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>})
        (C {<fatal>} {(DQ <'cert succeeded'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key1 failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key2 failed'>)})
      ]
    )
    (C {<verbose>} {(DQ <'allow ed25519'>)})
    (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-ed25519'>)})
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>})
        (C {<fatal>} {(DQ <'cert succeeded'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key1 failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key2 succeeded'>)})
      ]
    )
    (C {<verbose>} {(DQ <'allow cert only'>)})
    (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com'>)})
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>})
        (C {<fatal>} {(DQ <'cert failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key1 succeeded'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key2 succeeded'>)})
      ]
    )
    (C {<verbose>} {(DQ <'match w/ no match'>)})
    (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-rsa'>)} 
      {(DQ <'Match user x'> ($ Id.VSub_DollarName '$USER'))} {(DQ <'PubkeyAcceptedKeyTypes +ssh-ed25519'>)}
    )
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>})
        (C {<fatal>} {(DQ <'cert succeeded'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key1 succeeded'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key2 failed'>)})
      ]
    )
    (C {<verbose>} {(DQ <'match w/ matching'>)})
    (C {<prepare_config>} {(DQ <'PubkeyAcceptedKeyTypes ssh-dss'>)} 
      {(DQ <'Match user '> ($ Id.VSub_DollarName '$USER'))} {(DQ <'PubkeyAcceptedKeyTypes +ssh-ed25519'>)}
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$certopts')} {<proxy>} {<true>})
        (C {<fatal>} {(DQ <'cert failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key1 failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DAmp]
      children: [
        (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<-i>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key4'>} {<proxy>} {<true>}
        )
        (C {<fatal>} {(DQ <'key4 succeeded'>)})
      ]
    )
  ]
)