Using with AWS CodeCommit

Currently AWS CodeCommit requires an RSA SSH Key (ED25519 not supported) when connecting to the git repos. However, the way CodeCommit works is it generates a random user that you will need to use when connecting to codecommit AFTER you upload your SSH Key to AWS CodeCommit. Therefore, we have no idea what the USER@HOST will be until after the key has been provided to AWS. How can onlykey be used in this scenario?

The onlykey-agent does support RSA keys as stored keys - OnlyKey SSH/GPG agent | Docs

It sounds like if CodeCommit is generating a random user then its not using the user you specify in your SSH public key anyway. It sounds like it just ignores the user@host you specify in your public key if it is then generating a random username. If this is the case you would:

  • Load your RSA signing key into OnlyKey
  • Generate public key (using any username as it’s ignored) i.e.
onlykey-agent user@host -e rsa -sk RSA2
  • Upload your public key
  • Find out what the random username it assigns is
  • From then on use onlykey-agent with that i.e.
onlykey-agent -c randomuser@host -e rsa -sk RSA2


onlykey-agent user@host -e rsa -sk RSA2


libagent.device.interface.DeviceError: Error response length is not a valid public key

I tried creating new keys in gnuPG and then loaded the encryption key to RSA slot 1 with “use for decryption” selected and the signing key to RSA slot 2 with “use for signing” selected to onlykey for measure but still same error.

I have a backup onlykey that I just completely wiped and installed fresh with the v2.1.1 STD firmware. I didn’t load any custom keys and tried it and same error.

I am running ubuntu desktop 20.04.

What size RSA key are you using. RSA-2048 and RSA-4096 are supported.

I generated an RSA-4096 key for E, S and A using gnuPG on ubuntu. works fine on yubikey