Wrong check / message when creating resident keys

[DennisGaida]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

There are no FIDO keys on the Yubikey Nano 5C:

❯ ykman fido credentials list
Enter your PIN:
Credential ID  RP ID                                 Username                        Display name

When running ssh-keygen -t ed25519-sk -O resident -O application=ssh:test1 with a Yubikey Nano 5C I get the following output:

Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
A resident key scoped to 'ssh:test1' with user id 'null' already exists.
Overwrite key in token (y/n)? y

However the key does not exist on the Yubikey, as you saw in the previous output.
After creating this resident key, the output is:

❯ ykman fido credentials list
Enter your PIN:
Credential ID  RP ID                                 Username                        Display name
xxx...         ssh:test1                             openssh                         openssh

When I now try to add another resident key to the Yubikey with the following command: ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2, I get the same output as above:

Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
A resident key scoped to 'ssh:test2' with user id 'null' already exists.
Overwrite key in token (y/n)? y

After "overwriting" the key this way, I have two keys on the Yubikey:

❯ ykman fido credentials list
Enter your PIN:
Credential ID  RP ID                                 Username                        Display name
xxx...         ssh:test1                             openssh                         openssh
xxx...         ssh:test2                             openssh                         openssh

In both cases the key did not exist and I am not overwriting anything. When glancing at the source here https://github.com/PowerShell/openssh-portable/blob/8b8667852672317bd505593d6fec640cdf7b5cde/ssh-keygen.c#L3933 I see where the message comes from, but I do not see any check that this particular key exists.

Should the check for overwrite not include an actual check for whether this key with this particular application exists? Or should the message for overwriting not include a "may" overwrite if checking is not possible?

I am unsure whether the logic is flawed or simply the message misleading (as nothing is being overwritten with different applications).

Ultimately I am not able to overwrite a key with ssh-keygen. When running ssh-keygen with the same application again, I get duplicate keys. ssh-keygen -t ed25519-sk -O resident -O application=ssh:test2

Output (see two times ssh:test2):

❯ ykman fido credentials list
Enter your PIN:
Credential ID  RP ID                                 Username                        Display name
xxx...         ssh:test1                             openssh                         openssh
xxx...         ssh:test2                             openssh                         openssh
xxx...         ssh:test2                             openssh                         openssh

Expected behavior

ssh-keygen should not prompt for overwriting a key if nothing is being overwritten

Actual behavior

ssh-keygen 
1. prompts to overwrite on an empty Yubikey
2. prompts to overwrite with different applications (e.g. ssh:test1 & ssh:test2)
3. does not overwrite even with the same application IDs

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.26100.4768
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.4768
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

Visuals

No response

[StevenBucher98]

Thanks for bringing this up @DennisGaida, @tgauth will take a look and see if there is some deviation from upstream and look into this problem.

[DennisGaida]

Thank you @StevenBucher98 @tgauth ! The error compared to upstream seems to actually be in the confirm_sk_overwrite method, since it doesn't check any overwrite, but the original source does ;-)
https://github.com/PowerShell/openssh-portable/blob/8b8667852672317bd505593d6fec640cdf7b5cde/ssh-keygen.c#L3319

I didn't check what your upstream is, but comparing to openssh-portable there is a check for the existing file at https://github.com/openssh/openssh-portable/blob/a4aa090a3d40dddb07d5ebebc501f6457541a501/ssh-keygen.c#L231 or same check of another source here: https://android.googlesource.com/platform/external/openssh/+/393ead3e4a22c473a4d316e47f9bbda36f638188/ssh-keygen.c#239

The confirm_sk_overwrite method just asks a yes/no question without checking anything.

[aksel]

OMG THANK YOU

I have been tearing my hair out, trying to figure out whether I had a phantom resident key somewhere 😅

Been bugging me for like a month! Complete PowerShell noob, having joined a Windows-only company a month ago. Doesn't help that I'm an OpenSSH noob either lol

And today, finally, DuckDuckGo gave a result for "A resident key scoped to"

Thanks!!!!! ❤️

[tgauth]

tldr - will update so that this message does not get printed since it looks like no key will be overwritten per https://github.com/PowerShell/openssh-portable/blob/latestw_all/sk-usbhid.c#L861

The reason it's being printed is due to the non-zero return of sshsk_enroll() which then falls into the confirm_sk_overwrite() logic. That doesn't return gracefully because of the return of the key_lookup() (added in 9.1). On Windows, it has a hardcoded return of FIDO_OK instead of FIDO_ERR_NO_CREDENTIALS at https://github.com/PowerShell/openssh-portable/blob/latestw_all/sk-usbhid.c#L902