upstream: Fix up whitespace left by previous

change removing privsep. No other changes. OpenBSD-Regress-ID: 87adec225d8afaee4d6a91b2b71203f52bf14b15
2021-09-30 05:26:26 +00:00 · 2021-09-30 05:26:26 +00:00 · 76a398edfb
parent ddcb53b7a7
commit 76a398edfb
3 changed files with 296 additions and 296 deletions
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.27 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.
 tid="certified host keys"
@ -131,33 +131,33 @@ attempt_connect() {
 }
 # Basic connect and revocation tests.
-	for ktype in $PLAIN_TYPES ; do
+for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} cert connect"
+	verbose "$tid: host ${ktype} cert connect"
-		(
+	(
-			cat $OBJ/sshd_proxy_bak
+		cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
+	) > $OBJ/sshd_proxy
-		#               test name                         expect success
+	#               test name                         expect success
-		attempt_connect "$ktype basic connect"			"yes"
+	attempt_connect "$ktype basic connect"			"yes"
-		attempt_connect "$ktype empty KRL"			"yes" \
+	attempt_connect "$ktype empty KRL"			"yes" \
-		    -oRevokedHostKeys=$OBJ/host_krl_empty
+	    -oRevokedHostKeys=$OBJ/host_krl_empty
-		attempt_connect "$ktype KRL w/ plain key revoked"	"no" \
+	attempt_connect "$ktype KRL w/ plain key revoked"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_plain
+	    -oRevokedHostKeys=$OBJ/host_krl_plain
-		attempt_connect "$ktype KRL w/ cert revoked"		"no" \
+	attempt_connect "$ktype KRL w/ cert revoked"		"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_cert
+	    -oRevokedHostKeys=$OBJ/host_krl_cert
-		attempt_connect "$ktype KRL w/ CA revoked"		"no" \
+	attempt_connect "$ktype KRL w/ CA revoked"		"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_ca
+	    -oRevokedHostKeys=$OBJ/host_krl_ca
-		attempt_connect "$ktype empty plaintext revocation"	"yes" \
+	attempt_connect "$ktype empty plaintext revocation"	"yes" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_empty
+	    -oRevokedHostKeys=$OBJ/host_revoked_empty
-		attempt_connect "$ktype plain key plaintext revocation"	"no" \
+	attempt_connect "$ktype plain key plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_plain
+	    -oRevokedHostKeys=$OBJ/host_revoked_plain
-		attempt_connect "$ktype cert plaintext revocation"	"no" \
+	attempt_connect "$ktype cert plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_cert
+	    -oRevokedHostKeys=$OBJ/host_revoked_cert
-		attempt_connect "$ktype CA plaintext revocation"	"no" \
+	attempt_connect "$ktype CA plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_ca
+	    -oRevokedHostKeys=$OBJ/host_revoked_ca
-	done
+done
 # Revoked certificates with key present
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@ -166,22 +166,22 @@ for ktype in $PLAIN_TYPES ; do
 	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
 done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	for ktype in $PLAIN_TYPES ; do
+for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} revoked cert"
+	verbose "$tid: host ${ktype} revoked cert"
-		(
+	(
-			cat $OBJ/sshd_proxy_bak
+		cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
+	) > $OBJ/sshd_proxy
-		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
+	if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
+		fail "ssh cert connect succeeded unexpectedly"
-		fi
+	fi
-	done
+done
 # Revoked CA
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.28 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.
 tid="certified user keys"
@ -60,122 +60,122 @@ done
 # Test explicitly-specified principals
 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 	t=$(kname $ktype)
-		_prefix="${ktype}"
+	_prefix="${ktype}"
-		# Setup for AuthorizedPrincipalsFile
+	# Setup for AuthorizedPrincipalsFile
-		rm -f $OBJ/authorized_keys_$USER
+	rm -f $OBJ/authorized_keys_$USER
-		(
+	(
-			cat $OBJ/sshd_proxy_bak
+		cat $OBJ/sshd_proxy_bak
-			echo "AuthorizedPrincipalsFile " \
+		echo "AuthorizedPrincipalsFile " \
-			    "$OBJ/authorized_principals_%u"
+		    "$OBJ/authorized_principals_%u"
-			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-			echo "PubkeyAcceptedAlgorithms ${t}"
+		echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/sshd_proxy
+	) > $OBJ/sshd_proxy
-		(
+	(
-			cat $OBJ/ssh_proxy_bak
+		cat $OBJ/ssh_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
+		echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/ssh_proxy
+	) > $OBJ/ssh_proxy
-		# Missing authorized_principals
+	# Missing authorized_principals
-		verbose "$tid: ${_prefix} missing authorized_principals"
+	verbose "$tid: ${_prefix} missing authorized_principals"
-		rm -f $OBJ/authorized_principals_$USER
+	rm -f $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
+	if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
+		fail "ssh cert connect succeeded unexpectedly"
-		fi
+	fi
-		# Empty authorized_principals
+	# Empty authorized_principals
-		verbose "$tid: ${_prefix} empty authorized_principals"
+	verbose "$tid: ${_prefix} empty authorized_principals"
-		echo > $OBJ/authorized_principals_$USER
+	echo > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
+	if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
+		fail "ssh cert connect succeeded unexpectedly"
-		fi
+	fi
-		# Wrong authorized_principals
+	# Wrong authorized_principals
-		verbose "$tid: ${_prefix} wrong authorized_principals"
+	verbose "$tid: ${_prefix} wrong authorized_principals"
-		echo gregorsamsa > $OBJ/authorized_principals_$USER
+	echo gregorsamsa > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
+	if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
+		fail "ssh cert connect succeeded unexpectedly"
-		fi
+	fi
-		# Correct authorized_principals
+	# Correct authorized_principals
-		verbose "$tid: ${_prefix} correct authorized_principals"
+	verbose "$tid: ${_prefix} correct authorized_principals"
-		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
+	if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
+		fail "ssh cert connect failed"
-		fi
+	fi
-		# authorized_principals with bad key option
+	# authorized_principals with bad key option
-		verbose "$tid: ${_prefix} authorized_principals bad key opt"
+	verbose "$tid: ${_prefix} authorized_principals bad key opt"
-		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
+	if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
+		fail "ssh cert connect succeeded unexpectedly"
-		fi
+	fi
-		# authorized_principals with command=false
+	# authorized_principals with command=false
-		verbose "$tid: ${_prefix} authorized_principals command=false"
+	verbose "$tid: ${_prefix} authorized_principals command=false"
-		echo 'command="false" mekmitasdigoat' > \
+	echo 'command="false" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
+	    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
+	if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
+		fail "ssh cert connect succeeded unexpectedly"
-		fi
+	fi
-		# authorized_principals with command=true
+	# authorized_principals with command=true
-		verbose "$tid: ${_prefix} authorized_principals command=true"
+	verbose "$tid: ${_prefix} authorized_principals command=true"
-		echo 'command="true" mekmitasdigoat' > \
+	echo 'command="true" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
+	    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
+	if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
+		fail "ssh cert connect failed"
-		fi
+	fi
-		# Setup for principals= key option
+	# Setup for principals= key option
-		rm -f $OBJ/authorized_principals_$USER
+	rm -f $OBJ/authorized_principals_$USER
-		(
+	(
-			cat $OBJ/sshd_proxy_bak
+		cat $OBJ/sshd_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
+		echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/sshd_proxy
+	) > $OBJ/sshd_proxy
-		(
+	(
-			cat $OBJ/ssh_proxy_bak
+		cat $OBJ/ssh_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
+		echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/ssh_proxy
+	) > $OBJ/ssh_proxy
-		# Wrong principals list
+	# Wrong principals list
-		verbose "$tid: ${_prefix} wrong principals key option"
+	verbose "$tid: ${_prefix} wrong principals key option"
-		(
+	(
-			printf 'cert-authority,principals="gregorsamsa" '
+		printf 'cert-authority,principals="gregorsamsa" '
-			cat $OBJ/user_ca_key.pub
+		cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
+	) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
+	if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
+		fail "ssh cert connect succeeded unexpectedly"
-		fi
+	fi
-		# Correct principals list
+	# Correct principals list
-		verbose "$tid: ${_prefix} correct principals key option"
+	verbose "$tid: ${_prefix} correct principals key option"
-		(
+	(
-			printf 'cert-authority,principals="mekmitasdigoat" '
+		printf 'cert-authority,principals="mekmitasdigoat" '
-			cat $OBJ/user_ca_key.pub
+		cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
+	) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
+	if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
+		fail "ssh cert connect failed"
-		fi
+	fi
 done
 basic_tests() {
@ -193,71 +193,71 @@ basic_tests() {
 	for ktype in $PLAIN_TYPES ; do
 		t=$(kname $ktype)
-			_prefix="${ktype} $auth"
+		_prefix="${ktype} $auth"
-			# Simple connect
+		# Simple connect
-			verbose "$tid: ${_prefix} connect"
+		verbose "$tid: ${_prefix} connect"
 			(
 				cat $OBJ/sshd_proxy_bak
 				echo "PubkeyAcceptedAlgorithms ${t}"
 				echo "$extra_sshd"
 			) > $OBJ/sshd_proxy
 			(
 				cat $OBJ/ssh_proxy_bak
 				echo "PubkeyAcceptedAlgorithms ${t}"
 			) > $OBJ/ssh_proxy
 			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true
 			if [ $? -ne 0 ]; then
 				fail "ssh cert connect failed"
 			fi
 			# Revoked keys
 			verbose "$tid: ${_prefix} revoked key"
 			(
 				cat $OBJ/sshd_proxy_bak
 				echo "RevokedKeys $OBJ/cert_user_key_revoked"
 				echo "PubkeyAcceptedAlgorithms ${t}"
 				echo "$extra_sshd"
 			) > $OBJ/sshd_proxy
 			cp $OBJ/cert_user_key_${ktype}.pub \
 			    $OBJ/cert_user_key_revoked
 			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -eq 0 ]; then
 				fail "ssh cert connect succeeded unexpecedly"
 			fi
 			verbose "$tid: ${_prefix} revoked via KRL"
 			rm $OBJ/cert_user_key_revoked
 			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
 			    $OBJ/cert_user_key_${ktype}.pub
 			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -eq 0 ]; then
 				fail "ssh cert connect succeeded unexpecedly"
 			fi
 			verbose "$tid: ${_prefix} empty KRL"
 			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
 			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -ne 0 ]; then
 				fail "ssh cert connect failed"
 			fi
 		done
 		# Revoked CA
 		verbose "$tid: ${ktype} $auth revoked CA key"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo "RevokedKeys $OBJ/user_ca_key.pub"
 			echo "PubkeyAcceptedAlgorithms ${t}"
 			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
-		${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+		(
-		    somehost true >/dev/null 2>&1
+			cat $OBJ/ssh_proxy_bak
 			echo "PubkeyAcceptedAlgorithms ${t}"
 		) > $OBJ/ssh_proxy
 		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
 		fi
 		# Revoked keys
 		verbose "$tid: ${_prefix} revoked key"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo "RevokedKeys $OBJ/cert_user_key_revoked"
 			echo "PubkeyAcceptedAlgorithms ${t}"
 			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
 		cp $OBJ/cert_user_key_${ktype}.pub \
 		    $OBJ/cert_user_key_revoked
 		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
 		fi
 		verbose "$tid: ${_prefix} revoked via KRL"
 		rm $OBJ/cert_user_key_revoked
 		${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
 		    $OBJ/cert_user_key_${ktype}.pub
 		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
 		fi
 		verbose "$tid: ${_prefix} empty KRL"
 		${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
 		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
 		fi
 	done
 	# Revoked CA
 	verbose "$tid: ${ktype} $auth revoked CA key"
 	(
 		cat $OBJ/sshd_proxy_bak
 		echo "RevokedKeys $OBJ/user_ca_key.pub"
 		echo "PubkeyAcceptedAlgorithms ${t}"
 		echo "$extra_sshd"
 	) > $OBJ/sshd_proxy
 	${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 	    somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect succeeded unexpecedly"
 	fi
 	verbose "$tid: $auth CA does not authenticate"
 	(
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.
 tid="authorized principals command"
@ -64,105 +64,105 @@ if [ ! -x $PRINCIPALS_COMMAND ]; then
 	    "(/var/run mounted noexec?)"
 fi
-#Test explicitly-specified principals
+# Test explicitly-specified principals
-	# Setup for AuthorizedPrincipalsCommand
+# Setup for AuthorizedPrincipalsCommand
-	rm -f $OBJ/authorized_keys_$USER
+rm -f $OBJ/authorized_keys_$USER
-	(
+(
-		cat $OBJ/sshd_proxy_bak
+	cat $OBJ/sshd_proxy_bak
-		echo "AuthorizedKeysFile none"
+	echo "AuthorizedKeysFile none"
-		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+	echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
-		    "%u %t %T %i %s %F %f %k %K"
+	    "%u %t %T %i %s %F %f %k %K"
-		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+	echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
-		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-	) > $OBJ/sshd_proxy
+) > $OBJ/sshd_proxy
-	# XXX test missing command
+# XXX test missing command
-	# XXX test failing command
+# XXX test failing command
-	# Empty authorized_principals
+# Empty authorized_principals
-	verbose "$tid: empty authorized_principals"
+verbose "$tid: empty authorized_principals"
-	echo > $OBJ/authorized_principals_$USER
+echo > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
+if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
+	fail "ssh cert connect succeeded unexpectedly"
-	fi
+fi
-	# Wrong authorized_principals
+# Wrong authorized_principals
-	verbose "$tid: wrong authorized_principals"
+verbose "$tid: wrong authorized_principals"
-	echo gregorsamsa > $OBJ/authorized_principals_$USER
+echo gregorsamsa > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
+if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
+	fail "ssh cert connect succeeded unexpectedly"
-	fi
+fi
-	# Correct authorized_principals
+# Correct authorized_principals
-	verbose "$tid: correct authorized_principals"
+verbose "$tid: correct authorized_principals"
-	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
+if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
+	fail "ssh cert connect failed"
-	fi
+fi
-	# authorized_principals with bad key option
+# authorized_principals with bad key option
-	verbose "$tid: authorized_principals bad key opt"
+verbose "$tid: authorized_principals bad key opt"
-	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
+if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
+	fail "ssh cert connect succeeded unexpectedly"
-	fi
+fi
-	# authorized_principals with command=false
+# authorized_principals with command=false
-	verbose "$tid: authorized_principals command=false"
+verbose "$tid: authorized_principals command=false"
-	echo 'command="false" mekmitasdigoat' > \
+echo 'command="false" mekmitasdigoat' > \
-	    $OBJ/authorized_principals_$USER
+    $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
+if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
+	fail "ssh cert connect succeeded unexpectedly"
-	fi
+fi
-	# authorized_principals with command=true
+# authorized_principals with command=true
-	verbose "$tid: authorized_principals command=true"
+verbose "$tid: authorized_principals command=true"
-	echo 'command="true" mekmitasdigoat' > \
+echo 'command="true" mekmitasdigoat' > \
-	    $OBJ/authorized_principals_$USER
+    $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
+if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
+	fail "ssh cert connect failed"
-	fi
+fi
-	# Setup for principals= key option
+# Setup for principals= key option
-	# TODO: remove?
+# TODO: remove?
-	rm -f $OBJ/authorized_principals_$USER
+rm -f $OBJ/authorized_principals_$USER
-	(
+(
-		cat $OBJ/sshd_proxy_bak
+	cat $OBJ/sshd_proxy_bak
-	) > $OBJ/sshd_proxy
+) > $OBJ/sshd_proxy
-	# Wrong principals list
+# Wrong principals list
-	verbose "$tid: wrong principals key option"
+verbose "$tid: wrong principals key option"
-	(
+(
-		printf 'cert-authority,principals="gregorsamsa" '
+	printf 'cert-authority,principals="gregorsamsa" '
-		cat $OBJ/user_ca_key.pub
+	cat $OBJ/user_ca_key.pub
-	) > $OBJ/authorized_keys_$USER
+) > $OBJ/authorized_keys_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
+if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
+	fail "ssh cert connect succeeded unexpectedly"
-	fi
+fi
-	# Correct principals list
+# Correct principals list
-	verbose "$tid: correct principals key option"
+verbose "$tid: correct principals key option"
-	(
+(
-		printf 'cert-authority,principals="mekmitasdigoat" '
+	printf 'cert-authority,principals="mekmitasdigoat" '
-		cat $OBJ/user_ca_key.pub
+	cat $OBJ/user_ca_key.pub
-	) > $OBJ/authorized_keys_$USER
+) > $OBJ/authorized_keys_$USER
-	${SSH} -i $OBJ/cert_user_key \
+${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
+if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
+	fail "ssh cert connect failed"
-	fi
+fi