(command.CommandList children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:tid) op: assign_op.Equal rhs: {(DQ <'authorized principals command'>)} spids: [7] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>} ) (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-z>} {(DQ ($ Id.VSub_DollarName '$SUDO'))} {<-a>} {<Id.KW_Bang '!'>} {<-w>} {<'/var/run'>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<echo>} {(DQ <'skipped (SUDO not set)'>)}) (C {<echo>} {(DQ <'need SUDO to create file in /var/run, test won\'t work without'>)}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] spids: [34 55] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:SERIAL) op: assign_op.Equal rhs: {($ Id.VSub_Dollar '$$')} spids: [79] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} ) (C {<fatal>} {(DQ <'ssh-keygen of user_ca_key failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} ) (C {<fatal>} {(DQ <'ssh-keygen of cert_user_key failed'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} {<-I>} {(DQ <'Joanne User'>)} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} {(${ Id.VSub_Name USER) <Id.Lit_Comma ','> <mekmitasdigoat>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} ) (C {<fatal>} {(DQ <'couldn\'t sign cert_user_key'>)}) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:CERT_BODY) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key-cert.pub'>}) (C {<awk>} {(SQ <'{ print $2 }'>)}) ] negated: F ) ) } spids: [191] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:CA_BODY) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>}) (C {<awk>} {(SQ <'{ print $2 }'>)}) ] negated: F ) ) } spids: [209] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:CERT_FP) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-lf>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key-cert.pub'>} ) (C {<awk>} {(SQ <'{ print $2 }'>)}) ] negated: F ) ) } spids: [227] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:CA_FP) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_Backtick '`'> child: (command.Pipeline children: [ (C {(${ Id.VSub_Name SSHKEYGEN)} {<-lf>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>} ) (C {<awk>} {(SQ <'{ print $2 }'>)}) ] negated: F ) ) } spids: [249] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:PRINCIPALS_COMMAND) op: assign_op.Equal rhs: {(DQ <'/var/run/principals_command_'> (${ Id.VSub_Name LOGNAME))} spids: [278] ) ] ) (command.Pipeline children: [ (command.Simple words: [{<cat>}] redirects: [ (redir op: <Id.Redir_DLess '<<'> loc: (redir_loc.Fd fd:0) arg: (redir_param.HereDoc here_begin: {<_EOF>} here_end_span_id: 443 stdin_parts: [ <'#!/bin/sh\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <1> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name LOGNAME) <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <2> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <'xssh-rsa-cert-v01@openssh.com'> <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <3> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <xssh-ed25519> <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <4> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <'xJoanne User'> <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <5> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name SERIAL) <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <6> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name CA_FP) <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <7> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name CERT_FP) <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <8> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name CERT_BODY) <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test '> <Id.Right_DoubleQuote '"'> <x> (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>) <9> <Id.Right_DoubleQuote '"'> <' != '> <Id.Right_DoubleQuote '"'> <x> (${ Id.VSub_Name CA_BODY) <Id.Right_DoubleQuote '"'> <' && exit 1\n'> <'test -f '> <Id.Right_DoubleQuote '"'> ($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> (${ Id.VSub_Name LOGNAME) <Id.Right_DoubleQuote '"'> <' &&\n'> <'\texec cat '> <Id.Right_DoubleQuote '"'> ($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> (${ Id.VSub_Name LOGNAME) <Id.Right_DoubleQuote '"'> <'\n'> ] ) ) ] do_fork: T ) (C {($ Id.VSub_DollarName '$SUDO')} {<sh>} {<-c>} {(DQ <'cat > \''> ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND') <'\''>)} ) ] negated: F ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<test>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>}) (C {<fatal>} {(DQ <'couldn\'t prepare principals command'>)}) ] ) (C {($ Id.VSub_DollarName '$SUDO')} {<chmod>} {<0755>} {(DQ ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND'))} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {($ Id.VSub_DollarName '$OBJ') <'/check-perm'>} {<-m>} {<keys-command>} {($ Id.VSub_DollarName '$PRINCIPALS_COMMAND')} ) ] negated: T ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<echo>} { (DQ <'skipping: '> ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND') <' is unsuitable as '>) } {(DQ <AuthorizedPrincipalsCommand>)} ) (C {($ Id.VSub_DollarName '$SUDO')} {<rm>} {<-f>} {($ Id.VSub_DollarName '$PRINCIPALS_COMMAND')} ) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] spids: [471 486] ) ] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-x>} {($ Id.VSub_DollarName '$PRINCIPALS_COMMAND')} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ForEach iter_name: privsep iter_words: [{<yes>} {<no>}] do_arg_iter: F body: (command.DoGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:_prefix) op: assign_op.Equal rhs: {(DQ <'privsep '> ($ Id.VSub_DollarName '$privsep'))} spids: [553] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {(DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep'))} ) (C {<echo>} {(DQ <'AuthorizedKeysFile none'>)}) (C {<echo>} { (DQ <'AuthorizedPrincipalsCommand '> ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND') ) } {(DQ <'%u %t %T %i %s %F %f %k %K'>)} ) (C {<echo>} {(DQ <'AuthorizedPrincipalsCommandUser '> (${ Id.VSub_Name LOGNAME))} ) (C {<echo>} { (DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'> ) } ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' empty authorized_principals'> ) } ) (command.Simple words: [{<echo>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [701 714] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' wrong authorized_principals'> ) } ) (command.Simple words: [{<echo>} {<gregorsamsa>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [782 795] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' correct authorized_principals'> ) } ) (command.Simple words: [{<echo>} {<mekmitasdigoat>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [863 876] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' authorized_principals bad key opt'> ) } ) (command.Simple words: [{<echo>} {(SQ <'blah mekmitasdigoat'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [946 959] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' authorized_principals command=false'> ) } ) (command.Simple words: [{<echo>} {(SQ <'command="false" mekmitasdigoat'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [1031 1044] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' authorized_principals command=true'> ) } ) (command.Simple words: [{<echo>} {(SQ <'command="true" mekmitasdigoat'>)}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) ] do_fork: T ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<false>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [1116 1129] ) ] ) (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER') } ) (command.Subshell child: (command.CommandList children: [ (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}) (C {<echo>} {(DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep'))} ) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' wrong principals key option'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<printf>} {(SQ <'cert-authority,principals="gregorsamsa" '>)}) (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})] spids: [1250 1263] ) ] ) (C {<verbose>} { (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) <' correct principals key option'> ) } ) (command.Subshell child: (command.CommandList children: [ (C {<printf>} {(SQ <'cert-authority,principals="mekmitasdigoat" '>)}) (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>}) ] ) redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER') } ) ] ) (command.Simple words: [ {(${ Id.VSub_Name SSH)} {<-2i>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>} ] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op: <Id.Redir_GreatAnd '2>&'> loc: (redir_loc.Fd fd:2) arg: {<1>} ) ] do_fork: T ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})] spids: [1345 1358] ) ] ) ] ) ) ] spids: [520 531] ) ] else_action: [ (C {<echo>} {(DQ <'SKIPPED: '> ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND') <' not executable '>)} {(DQ <'(/var/run mounted noexec?)'>)} ) ] ) ] )