az ssh config --yes --overwrite have no effect

[louim]

Describe the bug

Running az ssh config --yes --overwrite --ip \* --file ./ssh_config does not automatically overwrite the configuration, it still prompt me to overwrite the file. I see the following:

myhomefolder/az_ssh_config/all_ips/id_rsa already exists.
Overwrite (y/n)?

Related command

az ssh config

Errors

No error is generated, but the overwrite flag is not respected.

Issue script & Debug output

cli.knack.cli: Command arguments: ['ssh', 'config', '--yes', '--overwrite', '--ip', '*', '--file', './ssh_config', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x105481fc0>, <function OutputProducer.on_global_arguments at 0x105512b90>, <function CLIQuery.on_global_arguments at 0x10557c040>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ssh': ['azext_ssh']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: ssh                       0.617         1         4  /Users/[REDACTED]/.azure/cliextensions/ssh
cli.azure.cli.core: Total (1)                 0.617         1         4
cli.azure.cli.core: Loaded 1 groups, 4 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : ssh config
cli.azure.cli.core: Command table: ssh config
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x106029ab0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/[REDACTED]/.azure/commands/2023-09-12.16-50-31.ssh_config.54480.log'.
az_command_data_logger: command args: ssh config --yes --overwrite --ip {} --file {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x106046440>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x106107e20>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x106107f40>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x105512c20>, <function CLIQuery.handle_query_parameter at 0x10557c0d0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x106107eb0>]
az_command_data_logger: extension name: ssh
az_command_data_logger: extension version: 2.0.1
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/[REDACTED]/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/[REDACTED]/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
cli.azure.cli.core.auth.binary_cache: save: /Users/[REDACTED]/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /Users/[REDACTED]/.azure/msal_http_cache.bin
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "GET /[REDACTED]/v2.0/.well-known/openid-configuration HTTP/1.1" 200 1753
cli.azure.cli.core.auth.binary_cache: save: /Users/[REDACTED]/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /Users/[REDACTED]/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /Users/[REDACTED]/.azure/msal_http_cache.bin
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/[REDACTED]/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/[REDACTED]/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/[REDACTED]/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -f /Users/[REDACTED]/work/[REDACTED]/az_ssh_config/all_ips/id_rsa -t rsa -q -N
/Users/[REDACTED]/work/[REDACTED]/az_ssh_config/all_ips/id_rsa already exists.
Overwrite (y/n)? y
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/[REDACTED]/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/[REDACTED]/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/[REDACTED]/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/[REDACTED]/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "[REDACTED]", "e": "AQAB", "kid": "[REDACTED]"}', 'key_id': '[REDACTED]'}}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), claims=None, kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "[REDACTED]", "e": "AQAB", "kid": "[REDACTED]"}', 'key_id': '[REDACTED]'}}
msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '[REDACTED]', 'family_id': '1'}
msal.telemetry: Generate or reuse correlation_id: c47a59fa-acdc-4a52-8845-da7c973bad13
msal.application: Cache attempts an RT
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /[REDACTED]/oauth2/v2.0/token HTTP/1.1" 200 4965
msal.token_cache: event={
    [REDACTED]
}
cli.azext_ssh.custom: Generating certificate /Users/[REDACTED]/work/[REDACTED]/az_ssh_config/all_ips/id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -L -f /Users/[REDACTED]/work/[REDACTED]/az_ssh_config/all_ips/id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -L -f /Users/[REDACTED]/work/[REDACTED]/az_ssh_config/all_ips/id_rsa.pub-aadcert.pub
Generated SSH certificate /Users/[REDACTED]/work/[REDACTED]/az_ssh_config/all_ips/id_rsa.pub-aadcert.pub is valid until 2023-09-12 05:50:40 PM in local time.
cli.azext_ssh.ssh_utils: /Users/[REDACTED]/work/[REDACTED]/az_ssh_config/all_ips contains sensitive information (id_rsa, id_rsa.pub, id_rsa.pub-aadcert.pub). Please delete it once you no longer need this config file.
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x1061055a0>, <function _x509_from_base64_to_hex_transform at 0x106105630>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x106029cf0>]
az_command_data_logger: exit code: 0
cli.__main__: Command ran in 9.469 seconds (init: 0.522, invoke: 8.948)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3758 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.52.0_1/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.52.0_1/libexec/lib/python3.10/site-packages/azure/cli/telemetry/__init__.py /Users/[REDACTED]/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

The config is overwritten without any prompt

Environment Summary

azure-cli 2.52.0

core 2.52.0
telemetry 1.1.0

Extensions:
init 0.1.0
ssh 2.0.1

Dependencies:
msal 1.24.0b1
azure-mgmt-resource 23.1.0b2

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[adam-wood]

I have also tried combinations of --overwrite & --yes --yes-without-prompt -y as documented here with no success in making the command overwrite without a prompt.

[KenBenjamin]

Here's a good workaround:

echo y | az ssh config --ip 10.0.1.4 --file .ssh/config

[Crosswind]

I just stumbled across this exact issue. I specify both --overwrite and --yes-without-promp but I'm still asked whether I want to overwrite the file. Is there any progress on it?
I wanted to provide a fix in the SSH extension but wasn't able to even find the code that produces the prompt. If anyone can point me into the right direction, I'm happy to look into fixing it.

Edit: The prompt is actually from ssh-keygen itself which is why I couldn't find it in the code.
https://github.com/Azure/azure-cli-extensions/blob/afcd1f3597995eb654fb5f5dd4f9bc4614ee883b/src/ssh/azext_ssh/ssh_utils.py#L163-L172
The challenge is that ssh-keygen doesn't have an option that overwrites an existing key file. The CLI has 2 options in my opinion: Delete the existing key to avoid ssh-keygen seeing it or automatically send the y to the command. The latter has the issue that in case some other prompt shows up it is automatically answered with y which may not be intentional.

[lutzwillek-tomtom]

Yes, az ssh config uses ssh-keygen, via cli.azext_ssh.ssh_utils.

So using the workaround echo y | az ssh config indeed has the unintentional drawback that in case any other prompt shows up, this is then answered with y as well.