(command.CommandList
  children: [
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:tid)
          op: assign_op.Equal
          rhs: {(DQ <'authorized principals command'>)}
          spids: [7]
        )
      ]
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>}
    )
    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {<-z>} {(DQ ($ Id.VSub_DollarName '$SUDO'))} {<-a>} 
                      {<Id.KW_Bang '!'>} {<-w>} {<'/var/run'>} {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (C {<echo>} {(DQ <'skipped (SUDO not set)'>)})
            (C {<echo>} {(DQ <'need SUDO to create file in /var/run, test won\'t work without'>)})
            (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>})
          ]
          spids: [34 55]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:SERIAL)
          op: assign_op.Equal
          rhs: {($ Id.VSub_Dollar '$$')}
          spids: [79]
        )
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen of user_ca_key failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen of cert_user_key failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} 
          {<-I>} {(DQ <'Joanne User'>)} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} 
          {(${ Id.VSub_Name USER) <Id.Lit_Comma ','> <mekmitasdigoat>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
        )
        (C {<fatal>} {(DQ <'couldn\'t sign cert_user_key'>)})
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:CERT_BODY)
          op: assign_op.Equal
          rhs: 
            {
              (command_sub
                left_token: <Id.Left_Backtick '`'>
                child: 
                  (command.Pipeline
                    children: [
                      (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key-cert.pub'>})
                      (C {<awk>} {(SQ <'{ print $2 }'>)})
                    ]
                    negated: F
                  )
              )
            }
          spids: [191]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:CA_BODY)
          op: assign_op.Equal
          rhs: 
            {
              (command_sub
                left_token: <Id.Left_Backtick '`'>
                child: 
                  (command.Pipeline
                    children: [
                      (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>})
                      (C {<awk>} {(SQ <'{ print $2 }'>)})
                    ]
                    negated: F
                  )
              )
            }
          spids: [209]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:CERT_FP)
          op: assign_op.Equal
          rhs: 
            {
              (command_sub
                left_token: <Id.Left_Backtick '`'>
                child: 
                  (command.Pipeline
                    children: [
                      (C {(${ Id.VSub_Name SSHKEYGEN)} {<-lf>} 
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key-cert.pub'>}
                      )
                      (C {<awk>} {(SQ <'{ print $2 }'>)})
                    ]
                    negated: F
                  )
              )
            }
          spids: [227]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:CA_FP)
          op: assign_op.Equal
          rhs: 
            {
              (command_sub
                left_token: <Id.Left_Backtick '`'>
                child: 
                  (command.Pipeline
                    children: [
                      (C {(${ Id.VSub_Name SSHKEYGEN)} {<-lf>} 
                        {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>}
                      )
                      (C {<awk>} {(SQ <'{ print $2 }'>)})
                    ]
                    negated: F
                  )
              )
            }
          spids: [249]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:PRINCIPALS_COMMAND)
          op: assign_op.Equal
          rhs: {(DQ <'/var/run/principals_command_'> (${ Id.VSub_Name LOGNAME))}
          spids: [278]
        )
      ]
    )
    (command.Pipeline
      children: [
        (command.Simple
          words: [{<cat>}]
          redirects: [
            (redir
              op: <Id.Redir_DLess '<<'>
              loc: (redir_loc.Fd fd:0)
              arg: 
                (redir_param.HereDoc
                  here_begin: {<_EOF>}
                  here_end_span_id: 443
                  stdin_parts: [
                    <'#!/bin/sh\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <1>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name LOGNAME)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <2>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <'xssh-rsa-cert-v01@openssh.com'>
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <3>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <xssh-ed25519>
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <4>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <'xJoanne User'>
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <5>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name SERIAL)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <6>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name CA_FP)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <7>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name CERT_FP)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <8>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name CERT_BODY)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (word_part.EscapedLiteral token:<Id.Lit_EscapedChar '\\$'>)
                    <9>
                    <Id.Right_DoubleQuote '"'>
                    <' != '>
                    <Id.Right_DoubleQuote '"'>
                    <x>
                    (${ Id.VSub_Name CA_BODY)
                    <Id.Right_DoubleQuote '"'>
                    <' && exit 1\n'>
                    <'test -f '>
                    <Id.Right_DoubleQuote '"'>
                    ($ Id.VSub_DollarName '$OBJ')
                    <'/authorized_principals_'>
                    (${ Id.VSub_Name LOGNAME)
                    <Id.Right_DoubleQuote '"'>
                    <' &&\n'>
                    <'\texec cat '>
                    <Id.Right_DoubleQuote '"'>
                    ($ Id.VSub_DollarName '$OBJ')
                    <'/authorized_principals_'>
                    (${ Id.VSub_Name LOGNAME)
                    <Id.Right_DoubleQuote '"'>
                    <'\n'>
                  ]
                )
            )
          ]
          do_fork: T
        )
        (C {($ Id.VSub_DollarName '$SUDO')} {<sh>} {<-c>} 
          {(DQ <'cat > \''> ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND') <'\''>)}
        )
      ]
      negated: F
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {<test>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>})
        (C {<fatal>} {(DQ <'couldn\'t prepare principals command'>)})
      ]
    )
    (C {($ Id.VSub_DollarName '$SUDO')} {<chmod>} {<0755>} 
      {(DQ ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND'))}
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (command.Pipeline
                      children: [
                        (C {($ Id.VSub_DollarName '$OBJ') <'/check-perm'>} {<-m>} {<keys-command>} 
                          {($ Id.VSub_DollarName '$PRINCIPALS_COMMAND')}
                        )
                      ]
                      negated: T
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (C {<echo>} 
              {
                (DQ <'skipping: '> ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND') <' is unsuitable as '>)
              } {(DQ <AuthorizedPrincipalsCommand>)}
            )
            (C {($ Id.VSub_DollarName '$SUDO')} {<rm>} {<-f>} 
              {($ Id.VSub_DollarName '$PRINCIPALS_COMMAND')}
            )
            (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>})
          ]
          spids: [471 486]
        )
      ]
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {<-x>} {($ Id.VSub_DollarName '$PRINCIPALS_COMMAND')} 
                      {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (command.ForEach
              iter_name: privsep
              iter_words: [{<yes>} {<no>}]
              do_arg_iter: F
              body: 
                (command.DoGroup
                  children: [
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:_prefix)
                          op: assign_op.Equal
                          rhs: {(DQ <'privsep '> ($ Id.VSub_DollarName '$privsep'))}
                          spids: [553]
                        )
                      ]
                    )
                    (C {<rm>} {<-f>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> 
                        ($ Id.VSub_DollarName '$USER')
                      }
                    )
                    (command.Subshell
                      child: 
                        (command.CommandList
                          children: [
                            (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                            (C {<echo>} 
                              {(DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep'))}
                            )
                            (C {<echo>} {(DQ <'AuthorizedKeysFile none'>)})
                            (C {<echo>} 
                              {
                                (DQ <'AuthorizedPrincipalsCommand '> 
                                  ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND')
                                )
                              } {(DQ <'%u %t %T %i %s %F %f %k %K'>)}
                            )
                            (C {<echo>} 
                              {(DQ <'AuthorizedPrincipalsCommandUser '> (${ Id.VSub_Name LOGNAME))}
                            )
                            (C {<echo>} 
                              {
                                (DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') 
                                  <'/user_ca_key.pub'>
                                )
                              }
                            )
                          ]
                        )
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' empty authorized_principals'>
                        )
                      }
                    )
                    (command.Simple
                      words: [{<echo>}]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                      do_fork: T
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})]
                          spids: [701 714]
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' wrong authorized_principals'>
                        )
                      }
                    )
                    (command.Simple
                      words: [{<echo>} {<gregorsamsa>}]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                      do_fork: T
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})]
                          spids: [782 795]
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' correct authorized_principals'>
                        )
                      }
                    )
                    (command.Simple
                      words: [{<echo>} {<mekmitasdigoat>}]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                      do_fork: T
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})]
                          spids: [863 876]
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' authorized_principals bad key opt'>
                        )
                      }
                    )
                    (command.Simple
                      words: [{<echo>} {(SQ <'blah mekmitasdigoat'>)}]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                      do_fork: T
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})]
                          spids: [946 959]
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' authorized_principals command=false'>
                        )
                      }
                    )
                    (command.Simple
                      words: [{<echo>} {(SQ <'command="false" mekmitasdigoat'>)}]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                      do_fork: T
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})]
                          spids: [1031 1044]
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' authorized_principals command=true'>
                        )
                      }
                    )
                    (command.Simple
                      words: [{<echo>} {(SQ <'command="true" mekmitasdigoat'>)}]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                      do_fork: T
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<false>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})]
                          spids: [1116 1129]
                        )
                      ]
                    )
                    (C {<rm>} {<-f>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                        ($ Id.VSub_DollarName '$USER')
                      }
                    )
                    (command.Subshell
                      child: 
                        (command.CommandList
                          children: [
                            (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                            (C {<echo>} 
                              {(DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep'))}
                            )
                          ]
                        )
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' wrong principals key option'>
                        )
                      }
                    )
                    (command.Subshell
                      child: 
                        (command.CommandList
                          children: [
                            (C {<printf>} {(SQ <'cert-authority,principals="gregorsamsa" '>)})
                            (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>})
                          ]
                        )
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})]
                          spids: [1250 1263]
                        )
                      ]
                    )
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': '> (${ Id.VSub_Name _prefix) 
                          <' correct principals key option'>
                        )
                      }
                    )
                    (command.Subshell
                      child: 
                        (command.CommandList
                          children: [
                            (C {<printf>} {(SQ <'cert-authority,principals="mekmitasdigoat" '>)})
                            (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>})
                          ]
                        )
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: 
                            {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> 
                              ($ Id.VSub_DollarName '$USER')
                            }
                        )
                      ]
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2i>}
                        {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'>}
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})]
                          spids: [1345 1358]
                        )
                      ]
                    )
                  ]
                )
            )
          ]
          spids: [520 531]
        )
      ]
      else_action: [
        (C {<echo>} 
          {(DQ <'SKIPPED: '> ($ Id.VSub_DollarName '$PRINCIPALS_COMMAND') <' not executable '>)} {(DQ <'(/var/run mounted noexec?)'>)}
        )
      ]
    )
  ]
)