From: dtucker <dtucker@openbsd.org>
Date: Thu, 30 Sep 2021 05:26:26 +0000 (+0000)
Subject: Fix up whitespace left by previous change removing privsep.  No other
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b96e583a38b434b3aae38f02fdab1f3d93f66efe;p=openbsd

Fix up whitespace left by previous change removing privsep.  No other
changes.
---

diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh
index 904dd6930d3..a3414e1a5c5 100644
--- a/regress/usr.bin/ssh/cert-hostkey.sh
+++ b/regress/usr.bin/ssh/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.27 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -131,33 +131,33 @@ attempt_connect() {
 }
 
 # Basic connect and revocation tests.
-	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} cert connect"
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
+for ktype in $PLAIN_TYPES ; do
+	verbose "$tid: host ${ktype} cert connect"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
 
-		#               test name                         expect success
-		attempt_connect "$ktype basic connect"			"yes"
-		attempt_connect "$ktype empty KRL"			"yes" \
-		    -oRevokedHostKeys=$OBJ/host_krl_empty
-		attempt_connect "$ktype KRL w/ plain key revoked"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_plain
-		attempt_connect "$ktype KRL w/ cert revoked"		"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_cert
-		attempt_connect "$ktype KRL w/ CA revoked"		"no" \
-		    -oRevokedHostKeys=$OBJ/host_krl_ca
-		attempt_connect "$ktype empty plaintext revocation"	"yes" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_empty
-		attempt_connect "$ktype plain key plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_plain
-		attempt_connect "$ktype cert plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_cert
-		attempt_connect "$ktype CA plaintext revocation"	"no" \
-		    -oRevokedHostKeys=$OBJ/host_revoked_ca
-	done
+	#               test name                         expect success
+	attempt_connect "$ktype basic connect"			"yes"
+	attempt_connect "$ktype empty KRL"			"yes" \
+	    -oRevokedHostKeys=$OBJ/host_krl_empty
+	attempt_connect "$ktype KRL w/ plain key revoked"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_krl_plain
+	attempt_connect "$ktype KRL w/ cert revoked"		"no" \
+	    -oRevokedHostKeys=$OBJ/host_krl_cert
+	attempt_connect "$ktype KRL w/ CA revoked"		"no" \
+	    -oRevokedHostKeys=$OBJ/host_krl_ca
+	attempt_connect "$ktype empty plaintext revocation"	"yes" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_empty
+	attempt_connect "$ktype plain key plaintext revocation"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_plain
+	attempt_connect "$ktype cert plaintext revocation"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_cert
+	attempt_connect "$ktype CA plaintext revocation"	"no" \
+	    -oRevokedHostKeys=$OBJ/host_revoked_ca
+done
 
 # Revoked certificates with key present
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@@ -166,22 +166,22 @@ for ktype in $PLAIN_TYPES ; do
 	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
 done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} revoked cert"
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
+for ktype in $PLAIN_TYPES ; do
+	verbose "$tid: host ${ktype} revoked cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
 
-		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
-	done
+	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+done
 
 # Revoked CA
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh
index 53d1951d75b..4ea29b7cdbb 100644
--- a/regress/usr.bin/ssh/cert-userkey.sh
+++ b/regress/usr.bin/ssh/cert-userkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.28 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -60,122 +60,122 @@ done
 # Test explicitly-specified principals
 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 	t=$(kname $ktype)
-		_prefix="${ktype}"
+	_prefix="${ktype}"
 
-		# Setup for AuthorizedPrincipalsFile
-		rm -f $OBJ/authorized_keys_$USER
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo "AuthorizedPrincipalsFile " \
-			    "$OBJ/authorized_principals_%u"
-			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/sshd_proxy
-		(
-			cat $OBJ/ssh_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/ssh_proxy
+	# Setup for AuthorizedPrincipalsFile
+	rm -f $OBJ/authorized_keys_$USER
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "AuthorizedPrincipalsFile " \
+		    "$OBJ/authorized_principals_%u"
+		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/sshd_proxy
+	(
+		cat $OBJ/ssh_proxy_bak
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/ssh_proxy
 
-		# Missing authorized_principals
-		verbose "$tid: ${_prefix} missing authorized_principals"
-		rm -f $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Missing authorized_principals
+	verbose "$tid: ${_prefix} missing authorized_principals"
+	rm -f $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
 
-		# Empty authorized_principals
-		verbose "$tid: ${_prefix} empty authorized_principals"
-		echo > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Empty authorized_principals
+	verbose "$tid: ${_prefix} empty authorized_principals"
+	echo > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
 
-		# Wrong authorized_principals
-		verbose "$tid: ${_prefix} wrong authorized_principals"
-		echo gregorsamsa > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Wrong authorized_principals
+	verbose "$tid: ${_prefix} wrong authorized_principals"
+	echo gregorsamsa > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
 
-		# Correct authorized_principals
-		verbose "$tid: ${_prefix} correct authorized_principals"
-		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
+	# Correct authorized_principals
+	verbose "$tid: ${_prefix} correct authorized_principals"
+	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
 
-		# authorized_principals with bad key option
-		verbose "$tid: ${_prefix} authorized_principals bad key opt"
-		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# authorized_principals with bad key option
+	verbose "$tid: ${_prefix} authorized_principals bad key opt"
+	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
 
-		# authorized_principals with command=false
-		verbose "$tid: ${_prefix} authorized_principals command=false"
-		echo 'command="false" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# authorized_principals with command=false
+	verbose "$tid: ${_prefix} authorized_principals command=false"
+	echo 'command="false" mekmitasdigoat' > \
+	    $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
 
 
-		# authorized_principals with command=true
-		verbose "$tid: ${_prefix} authorized_principals command=true"
-		echo 'command="true" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
+	# authorized_principals with command=true
+	verbose "$tid: ${_prefix} authorized_principals command=true"
+	echo 'command="true" mekmitasdigoat' > \
+	    $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
 
-		# Setup for principals= key option
-		rm -f $OBJ/authorized_principals_$USER
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/sshd_proxy
-		(
-			cat $OBJ/ssh_proxy_bak
-			echo "PubkeyAcceptedAlgorithms ${t}"
-		) > $OBJ/ssh_proxy
+	# Setup for principals= key option
+	rm -f $OBJ/authorized_principals_$USER
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/sshd_proxy
+	(
+		cat $OBJ/ssh_proxy_bak
+		echo "PubkeyAcceptedAlgorithms ${t}"
+	) > $OBJ/ssh_proxy
 
-		# Wrong principals list
-		verbose "$tid: ${_prefix} wrong principals key option"
-		(
-			printf 'cert-authority,principals="gregorsamsa" '
-			cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
+	# Wrong principals list
+	verbose "$tid: ${_prefix} wrong principals key option"
+	(
+		printf 'cert-authority,principals="gregorsamsa" '
+		cat $OBJ/user_ca_key.pub
+	) > $OBJ/authorized_keys_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
 
-		# Correct principals list
-		verbose "$tid: ${_prefix} correct principals key option"
-		(
-			printf 'cert-authority,principals="mekmitasdigoat" '
-			cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key_${ktype} \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
+	# Correct principals list
+	verbose "$tid: ${_prefix} correct principals key option"
+	(
+		printf 'cert-authority,principals="mekmitasdigoat" '
+		cat $OBJ/user_ca_key.pub
+	) > $OBJ/authorized_keys_$USER
+	${SSH} -i $OBJ/cert_user_key_${ktype} \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
 done
 
 basic_tests() {
@@ -193,71 +193,71 @@ basic_tests() {
 
 	for ktype in $PLAIN_TYPES ; do
 		t=$(kname $ktype)
-			_prefix="${ktype} $auth"
-			# Simple connect
-			verbose "$tid: ${_prefix} connect"
-			(
-				cat $OBJ/sshd_proxy_bak
-				echo "PubkeyAcceptedAlgorithms ${t}"
-				echo "$extra_sshd"
-			) > $OBJ/sshd_proxy
-			(
-				cat $OBJ/ssh_proxy_bak
-				echo "PubkeyAcceptedAlgorithms ${t}"
-			) > $OBJ/ssh_proxy
-
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true
-			if [ $? -ne 0 ]; then
-				fail "ssh cert connect failed"
-			fi
+		_prefix="${ktype} $auth"
+		# Simple connect
+		verbose "$tid: ${_prefix} connect"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "PubkeyAcceptedAlgorithms ${t}"
+			echo "$extra_sshd"
+		) > $OBJ/sshd_proxy
+		(
+			cat $OBJ/ssh_proxy_bak
+			echo "PubkeyAcceptedAlgorithms ${t}"
+		) > $OBJ/ssh_proxy
 
-			# Revoked keys
-			verbose "$tid: ${_prefix} revoked key"
-			(
-				cat $OBJ/sshd_proxy_bak
-				echo "RevokedKeys $OBJ/cert_user_key_revoked"
-				echo "PubkeyAcceptedAlgorithms ${t}"
-				echo "$extra_sshd"
-			) > $OBJ/sshd_proxy
-			cp $OBJ/cert_user_key_${ktype}.pub \
-			    $OBJ/cert_user_key_revoked
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-			if [ $? -eq 0 ]; then
-				fail "ssh cert connect succeeded unexpecedly"
-			fi
-			verbose "$tid: ${_prefix} revoked via KRL"
-			rm $OBJ/cert_user_key_revoked
-			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
-			    $OBJ/cert_user_key_${ktype}.pub
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-			if [ $? -eq 0 ]; then
-				fail "ssh cert connect succeeded unexpecedly"
-			fi
-			verbose "$tid: ${_prefix} empty KRL"
-			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
-			${SSH} -i $OBJ/cert_user_key_${ktype} \
-			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-			if [ $? -ne 0 ]; then
-				fail "ssh cert connect failed"
-			fi
-		done
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
 
-		# Revoked CA
-		verbose "$tid: ${ktype} $auth revoked CA key"
+		# Revoked keys
+		verbose "$tid: ${_prefix} revoked key"
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "RevokedKeys $OBJ/user_ca_key.pub"
+			echo "RevokedKeys $OBJ/cert_user_key_revoked"
 			echo "PubkeyAcceptedAlgorithms ${t}"
 			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
-		${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
-		    somehost true >/dev/null 2>&1
+		cp $OBJ/cert_user_key_${ktype}.pub \
+		    $OBJ/cert_user_key_revoked
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpecedly"
+		fi
+		verbose "$tid: ${_prefix} revoked via KRL"
+		rm $OBJ/cert_user_key_revoked
+		${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
+		    $OBJ/cert_user_key_${ktype}.pub
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
 		fi
+		verbose "$tid: ${_prefix} empty KRL"
+		${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
+
+	# Revoked CA
+	verbose "$tid: ${ktype} $auth revoked CA key"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "RevokedKeys $OBJ/user_ca_key.pub"
+		echo "PubkeyAcceptedAlgorithms ${t}"
+		echo "$extra_sshd"
+	) > $OBJ/sshd_proxy
+	${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+	    somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpecedly"
+	fi
 
 	verbose "$tid: $auth CA does not authenticate"
 	(
diff --git a/regress/usr.bin/ssh/principals-command.sh b/regress/usr.bin/ssh/principals-command.sh
index d9701e91cc8..e51a405e5f7 100644
--- a/regress/usr.bin/ssh/principals-command.sh
+++ b/regress/usr.bin/ssh/principals-command.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
+#	$OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="authorized principals command"
@@ -53,104 +53,104 @@ test $? -eq 0 || fatal "couldn't prepare principals command"
 $SUDO chmod 0755 "$PRINCIPALS_COMMAND"
 
 # Test explicitly-specified principals
-	# Setup for AuthorizedPrincipalsCommand
-	rm -f $OBJ/authorized_keys_$USER
-	(
-		cat $OBJ/sshd_proxy_bak
-		echo "AuthorizedKeysFile none"
-		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
-		    "%u %t %T %i %s %F %f %k %K"
-		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
-		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-	) > $OBJ/sshd_proxy
-
-	# XXX test missing command
-	# XXX test failing command
-
-	# Empty authorized_principals
-	verbose "$tid: empty authorized_principals"
-	echo > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
-
-	# Wrong authorized_principals
-	verbose "$tid: wrong authorized_principals"
-	echo gregorsamsa > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
-
-	# Correct authorized_principals
-	verbose "$tid: correct authorized_principals"
-	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
-	fi
-
-	# authorized_principals with bad key option
-	verbose "$tid: authorized_principals bad key opt"
-	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
-
-	# authorized_principals with command=false
-	verbose "$tid: authorized_principals command=false"
-	echo 'command="false" mekmitasdigoat' > \
-	    $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
-
-
-	# authorized_principals with command=true
-	verbose "$tid: authorized_principals command=true"
-	echo 'command="true" mekmitasdigoat' > \
-	    $OBJ/authorized_principals_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
-	fi
-
-	# Setup for principals= key option
-	# TODO: remove?
-	rm -f $OBJ/authorized_principals_$USER
-	(
-		cat $OBJ/sshd_proxy_bak
-	) > $OBJ/sshd_proxy
-
-	# Wrong principals list
-	verbose "$tid: wrong principals key option"
-	(
-		printf 'cert-authority,principals="gregorsamsa" '
-		cat $OBJ/user_ca_key.pub
-	) > $OBJ/authorized_keys_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect succeeded unexpectedly"
-	fi
-
-	# Correct principals list
-	verbose "$tid: correct principals key option"
-	(
-		printf 'cert-authority,principals="mekmitasdigoat" '
-		cat $OBJ/user_ca_key.pub
-	) > $OBJ/authorized_keys_$USER
-	${SSH} -i $OBJ/cert_user_key \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
-	fi
+# Setup for AuthorizedPrincipalsCommand
+rm -f $OBJ/authorized_keys_$USER
+(
+	cat $OBJ/sshd_proxy_bak
+	echo "AuthorizedKeysFile none"
+	echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+	    "%u %t %T %i %s %F %f %k %K"
+	echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+) > $OBJ/sshd_proxy
+
+# XXX test missing command
+# XXX test failing command
+
+# Empty authorized_principals
+verbose "$tid: empty authorized_principals"
+echo > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# Wrong authorized_principals
+verbose "$tid: wrong authorized_principals"
+echo gregorsamsa > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# Correct authorized_principals
+verbose "$tid: correct authorized_principals"
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "ssh cert connect failed"
+fi
+
+# authorized_principals with bad key option
+verbose "$tid: authorized_principals bad key opt"
+echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# authorized_principals with command=false
+verbose "$tid: authorized_principals command=false"
+echo 'command="false" mekmitasdigoat' > \
+    $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi
+
+
+# authorized_principals with command=true
+verbose "$tid: authorized_principals command=true"
+echo 'command="true" mekmitasdigoat' > \
+    $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "ssh cert connect failed"
+fi
+
+# Setup for principals= key option
+# TODO: remove?
+rm -f $OBJ/authorized_principals_$USER
+(
+	cat $OBJ/sshd_proxy_bak
+) > $OBJ/sshd_proxy
+
+# Wrong principals list
+verbose "$tid: wrong principals key option"
+(
+	printf 'cert-authority,principals="gregorsamsa" '
+	cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# Correct principals list
+verbose "$tid: correct principals key option"
+(
+	printf 'cert-authority,principals="mekmitasdigoat" '
+	cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+${SSH} -i $OBJ/cert_user_key \
+    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "ssh cert connect failed"
+fi