"ssh-keygen -K" returns "invalid format" when restoring FIDO2 ssh keys on a new machine

[ENChauhan]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

I have an SSH key stored on my FIDO2 security key (Yubikey), and a new work laptop to set up.
I'm running ssh-keygen -K to regenerate the key handle file, but the command fails with Unable to load resident keys: invalid format after submitting my FIDO2 PIN.

Unfortunately the logs don't give enough information to debug this further so I'm a bit stuck. Any help would be appreciated.

Expected behavior

PS C:\Users\nikn\.ssh> ssh-keygen -K
Enter PIN for authenticator:
You may need to touch your authenticator to authorize key download.
<LOAD_RESIDENT_KEYS>

Actual behavior

PS C:\Users\nikn\.ssh> ssh-keygen -K -vvv
Enter PIN for authenticator:
You may need to touch your authenticator to authorize key download.
debug1: find_helper: using "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: Creating process with CREATE_NO_WINDOW
debug3: spawning "C:\\WINDOWS\\System32\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=25496
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=25496
Unable to load resident keys: invalid format

PS C:\Users\nikn\.ssh> ssh -V
OpenSSH_for_Windows_9.5p2, LibreSSL 3.8.2

Error details

Environment data

PS C:\Users\nikn\.ssh> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.26100.7462
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.7462
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_9.5p2

Visuals

No response

[gbloice]

Same error result using OpenSSH_for_Windows_10.0p2 Win32-OpenSSH-GitHub, LibreSSL 4.2.0 and PS 7.5.4.

[ENChauhan]

Figured out a workaround:

1. Open a Powershell session as a local administrator. In this admin shell:

# Start the ssh-agent
Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent
ssh-keygen -K # Prompts for Yubikey PIN and touch, enter passphrase if set or Enter to skip
Get-ChildItem #  Should see 2 new files, we don’t care about the .pub for this
# Set standard user account as the file owner
$path = C:\<PATH_TO_SSH_FILE> # Not the .pub file
$owner = New-Object System.Security.Principal.NTAccount("DOMAIN\initials") # Edit as required
$acl = Get-Acl -Path $path
$acl.SetOwner($owner)
Set-Acl $path -AclObject $acl
Get-Acl -Path $path | Format-List # Should now show you as Owner

2. In file explorer (or non-admin powershell session), edit the file permissions of the ssh file:
   Right-click -> Properties -> Security tab -> Edit...
   Give yourself Allow Full Access
   Give SYSTEM Allow Read Only
   Give all other accounts Deny All

3. In a non-admin powershell session:
   ssh-add <PATH_TO_SSH_FILE>

Core problem remains that you shouldn't need an administrator PoSH to restore keys, especially since it's not needed to create new ones.