upstream: Fix up whitespace left by previous

change removing privsep. No other changes. OpenBSD-Regress-ID: 87adec225d8afaee4d6a91b2b71203f52bf14b15
2021-09-30 05:26:26 +00:00 · 2021-09-30 05:26:26 +00:00 · 76a398edfb
parent ddcb53b7a7
commit 76a398edfb
3 changed files with 296 additions and 296 deletions
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.27 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -131,33 +131,33 @@ attempt_connect() {
 }

 # Basic connect and revocation tests.
-	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} cert connect"
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
+for ktype in $PLAIN_TYPES ; do
+	verbose "$tid: host ${ktype} cert connect"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy

-		#               test name                         expect success
-		attempt_connect "$ktype basic connect"			"yes"
-		attempt_connect "$ktype empty KRL"			"yes" \
-		    -oRevokedHostKeys=$OBJ/host_krl_empty
-		attempt_connect "$ktype KRL w/ plain key revoked"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_plain
-		attempt_connect "$ktype KRL w/ cert revoked"		"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_cert
-		attempt_connect "$ktype KRL w/ CA revoked"		"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_ca
-		attempt_connect "$ktype empty plaintext revocation"	"yes" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_empty
-		attempt_connect "$ktype plain key plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_plain
-		attempt_connect "$ktype cert plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_cert
-		attempt_connect "$ktype CA plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_ca
-	done
+	#               test name                         expect success
+	attempt_connect "$ktype basic connect"			"yes"
+	attempt_connect "$ktype empty KRL"			"yes" \
+	    -oRevokedHostKeys=$OBJ/host_krl_empty
+	attempt_connect "$ktype KRL w/ plain key revoked"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_krl_plain
+	attempt_connect "$ktype KRL w/ cert revoked"		"no" \
+	    -oRevokedHostKeys=$OBJ/host_krl_cert
+	attempt_connect "$ktype KRL w/ CA revoked"		"no" \
+	    -oRevokedHostKeys=$OBJ/host_krl_ca
+	attempt_connect "$ktype empty plaintext revocation"	"yes" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_empty
+	attempt_connect "$ktype plain key plaintext revocation"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_plain
+	attempt_connect "$ktype cert plaintext revocation"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_cert
+	attempt_connect "$ktype CA plaintext revocation"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_ca
+done

 # Revoked certificates with key present
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@ -166,22 +166,22 @@ for ktype in $PLAIN_TYPES ; do
 	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
 done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} revoked cert"
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
+for ktype in $PLAIN_TYPES ; do
+	verbose "$tid: host ${ktype} revoked cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy

-		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
-	done
+	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+done

 # Revoked CA
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.28 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -60,122 +60,122 @@ done
 # Test explicitly-specified principals
 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 	t=$(kname $ktype)
-		_prefix="${ktype}"
+	_prefix="${ktype}"

-		# Setup for AuthorizedPrincipalsFile
-		rm -f $OBJ/authorized_keys_$USER
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo "AuthorizedPrincipalsFile " \
-			    "$OBJ/authorized_principals_%u"
-			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/sshd_proxy
-		(
-			cat $OBJ/ssh_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/ssh_proxy
+	# Setup for AuthorizedPrincipalsFile
+	rm -f $OBJ/authorized_keys_$USER
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "AuthorizedPrincipalsFile " \
+		    "$OBJ/authorized_principals_%u"
+		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/sshd_proxy
+	(
+		cat $OBJ/ssh_proxy_bak
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/ssh_proxy

-		# Missing authorized_principals
-		verbose "$tid: ${_prefix} missing authorized_principals"
-		rm -f $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Missing authorized_principals
+	verbose "$tid: ${_prefix} missing authorized_principals"
+	rm -f $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi

-		# Empty authorized_principals
-		verbose "$tid: ${_prefix} empty authorized_principals"
-		echo > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Empty authorized_principals
+	verbose "$tid: ${_prefix} empty authorized_principals"
+	echo > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi

-		# Wrong authorized_principals
-		verbose "$tid: ${_prefix} wrong authorized_principals"
-		echo gregorsamsa > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Wrong authorized_principals
+	verbose "$tid: ${_prefix} wrong authorized_principals"
+	echo gregorsamsa > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi

-		# Correct authorized_principals
-		verbose "$tid: ${_prefix} correct authorized_principals"
-		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
+	# Correct authorized_principals
+	verbose "$tid: ${_prefix} correct authorized_principals"
+	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi

-		# authorized_principals with bad key option
-		verbose "$tid: ${_prefix} authorized_principals bad key opt"
-		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# authorized_principals with bad key option
+	verbose "$tid: ${_prefix} authorized_principals bad key opt"
+	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi

-		# authorized_principals with command=false
-		verbose "$tid: ${_prefix} authorized_principals command=false"
-		echo 'command="false" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# authorized_principals with command=false
+	verbose "$tid: ${_prefix} authorized_principals command=false"
+	echo 'command="false" mekmitasdigoat' > \
+	    $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi


-		# authorized_principals with command=true
-		verbose "$tid: ${_prefix} authorized_principals command=true"
-		echo 'command="true" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
+	# authorized_principals with command=true
+	verbose "$tid: ${_prefix} authorized_principals command=true"
+	echo 'command="true" mekmitasdigoat' > \
+	    $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi

-		# Setup for principals= key option
-		rm -f $OBJ/authorized_principals_$USER
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/sshd_proxy
-		(
-			cat $OBJ/ssh_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/ssh_proxy
+	# Setup for principals= key option
+	rm -f $OBJ/authorized_principals_$USER
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/sshd_proxy
+	(
+		cat $OBJ/ssh_proxy_bak
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/ssh_proxy

-		# Wrong principals list
-		verbose "$tid: ${_prefix} wrong principals key option"
-		(
-			printf 'cert-authority,principals="gregorsamsa" '
-			cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Wrong principals list
+	verbose "$tid: ${_prefix} wrong principals key option"
+	(
+		printf 'cert-authority,principals="gregorsamsa" '
+		cat $OBJ/user_ca_key.pub
+	) > $OBJ/authorized_keys_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi

-		# Correct principals list
-		verbose "$tid: ${_prefix} correct principals key option"
-		(
-			printf 'cert-authority,principals="mekmitasdigoat" '
-			cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
+	# Correct principals list
+	verbose "$tid: ${_prefix} correct principals key option"
+	(
+		printf 'cert-authority,principals="mekmitasdigoat" '
+		cat $OBJ/user_ca_key.pub
+	) > $OBJ/authorized_keys_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
 done

 basic_tests() {
@ -193,71 +193,71 @@ basic_tests() {

 	for ktype in $PLAIN_TYPES ; do
 		t=$(kname $ktype)
-			_prefix="${ktype} $auth"
-			# Simple connect
-			verbose "$tid: ${_prefix} connect"
-			(
-				cat $OBJ/sshd_proxy_bak
-				echo "PubkeyAcceptedAlgorithms ${t}"
-				echo "$extra_sshd"
-			) > $OBJ/sshd_proxy
-			(
-				cat $OBJ/ssh_proxy_bak
-				echo "PubkeyAcceptedAlgorithms ${t}"
-			) > $OBJ/ssh_proxy
-
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true
-			if [ $? -ne 0 ]; then
-				fail "ssh cert connect failed"
-			fi
-
-			# Revoked keys
-			verbose "$tid: ${_prefix} revoked key"
-			(
-				cat $OBJ/sshd_proxy_bak
-				echo "RevokedKeys $OBJ/cert_user_key_revoked"
-				echo "PubkeyAcceptedAlgorithms ${t}"
-				echo "$extra_sshd"
-			) > $OBJ/sshd_proxy
-			cp $OBJ/cert_user_key_${ktype}.pub \
-			    $OBJ/cert_user_key_revoked
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-			if [ $? -eq 0 ]; then
-				fail "ssh cert connect succeeded unexpecedly"
-			fi
-			verbose "$tid: ${_prefix} revoked via KRL"
-			rm $OBJ/cert_user_key_revoked
-			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
-			    $OBJ/cert_user_key_${ktype}.pub
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-			if [ $? -eq 0 ]; then
-				fail "ssh cert connect succeeded unexpecedly"
-			fi
-			verbose "$tid: ${_prefix} empty KRL"
-			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-			if [ $? -ne 0 ]; then
-				fail "ssh cert connect failed"
-			fi
-		done
-
-		# Revoked CA
-		verbose "$tid: ${ktype} $auth revoked CA key"
+		_prefix="${ktype} $auth"
+		# Simple connect
+		verbose "$tid: ${_prefix} connect"
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "RevokedKeys $OBJ/user_ca_key.pub"
 			echo "PubkeyAcceptedAlgorithms ${t}"
 			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
-		${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
-		    somehost true >/dev/null 2>&1
+		(
+			cat $OBJ/ssh_proxy_bak
+			echo "PubkeyAcceptedAlgorithms ${t}"
+		) > $OBJ/ssh_proxy
+
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+
+		# Revoked keys
+		verbose "$tid: ${_prefix} revoked key"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "RevokedKeys $OBJ/cert_user_key_revoked"
+			echo "PubkeyAcceptedAlgorithms ${t}"
+			echo "$extra_sshd"
+		) > $OBJ/sshd_proxy
+		cp $OBJ/cert_user_key_${ktype}.pub \
+		    $OBJ/cert_user_key_revoked
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
 		fi
+		verbose "$tid: ${_prefix} revoked via KRL"
+		rm $OBJ/cert_user_key_revoked
+		${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
+		    $OBJ/cert_user_key_${ktype}.pub
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpecedly"
+		fi
+		verbose "$tid: ${_prefix} empty KRL"
+		${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
+
+	# Revoked CA
+	verbose "$tid: ${ktype} $auth revoked CA key"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "RevokedKeys $OBJ/user_ca_key.pub"
+		echo "PubkeyAcceptedAlgorithms ${t}"
+		echo "$extra_sshd"
+	) > $OBJ/sshd_proxy
+	${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+	    somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpecedly"
+	fi

 	verbose "$tid: $auth CA does not authenticate"
 	(
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.

 tid="authorized principals command"
@ -64,105 +64,105 @@ if [ ! -x $PRINCIPALS_COMMAND ]; then
 	    "(/var/run mounted noexec?)"
 fi

-#Test explicitly-specified principals
-	# Setup for AuthorizedPrincipalsCommand
-	rm -f $OBJ/authorized_keys_$USER
-	(
-		cat $OBJ/sshd_proxy_bak
-		echo "AuthorizedKeysFile none"
-		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
-		    "%u %t %T %i %s %F %f %k %K"
-		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
-		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-	) > $OBJ/sshd_proxy
+# Test explicitly-specified principals
+# Setup for AuthorizedPrincipalsCommand
+rm -f $OBJ/authorized_keys_$USER
+(
+	cat $OBJ/sshd_proxy_bak
+	echo "AuthorizedKeysFile none"
+	echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+	    "%u %t %T %i %s %F %f %k %K"
+	echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+) > $OBJ/sshd_proxy

-	# XXX test missing command
-	# XXX test failing command
+# XXX test missing command
+# XXX test failing command

-	# Empty authorized_principals
-	verbose "$tid: empty authorized_principals"
-	echo > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
+# Empty authorized_principals
+verbose "$tid: empty authorized_principals"
+echo > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi

-	# Wrong authorized_principals
-	verbose "$tid: wrong authorized_principals"
-	echo gregorsamsa > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
+# Wrong authorized_principals
+verbose "$tid: wrong authorized_principals"
+echo gregorsamsa > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi

-	# Correct authorized_principals
-	verbose "$tid: correct authorized_principals"
-	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
-	fi
+# Correct authorized_principals
+verbose "$tid: correct authorized_principals"
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "ssh cert connect failed"
+fi

-	# authorized_principals with bad key option
-	verbose "$tid: authorized_principals bad key opt"
-	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
+# authorized_principals with bad key option
+verbose "$tid: authorized_principals bad key opt"
+echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi

-	# authorized_principals with command=false
-	verbose "$tid: authorized_principals command=false"
-	echo 'command="false" mekmitasdigoat' > \
-	    $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
+# authorized_principals with command=false
+verbose "$tid: authorized_principals command=false"
+echo 'command="false" mekmitasdigoat' > \
+    $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi


-	# authorized_principals with command=true
-	verbose "$tid: authorized_principals command=true"
-	echo 'command="true" mekmitasdigoat' > \
-	    $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
-	fi
+# authorized_principals with command=true
+verbose "$tid: authorized_principals command=true"
+echo 'command="true" mekmitasdigoat' > \
+    $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "ssh cert connect failed"
+fi

-	# Setup for principals= key option
-	# TODO: remove?
-	rm -f $OBJ/authorized_principals_$USER
-	(
-		cat $OBJ/sshd_proxy_bak
-	) > $OBJ/sshd_proxy
+# Setup for principals= key option
+# TODO: remove?
+rm -f $OBJ/authorized_principals_$USER
+(
+	cat $OBJ/sshd_proxy_bak
+) > $OBJ/sshd_proxy

-	# Wrong principals list
-	verbose "$tid: wrong principals key option"
-	(
-		printf 'cert-authority,principals="gregorsamsa" '
-		cat $OBJ/user_ca_key.pub
-	) > $OBJ/authorized_keys_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
+# Wrong principals list
+verbose "$tid: wrong principals key option"
+(
+	printf 'cert-authority,principals="gregorsamsa" '
+	cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi

-	# Correct principals list
-	verbose "$tid: correct principals key option"
-	(
-		printf 'cert-authority,principals="mekmitasdigoat" '
-		cat $OBJ/user_ca_key.pub
-	) > $OBJ/authorized_keys_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
-	fi
+# Correct principals list
+verbose "$tid: correct principals key option"
+(
+	printf 'cert-authority,principals="mekmitasdigoat" '
+	cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "ssh cert connect failed"
+fi