Deploying Python applications typically requires SSH keys. An SSH key has both a public and a private key file. You can use the private key to authenticate when syncing remote Git repositories, connect to remote servers and automate your application's deployments via configuration management tools like Ansible. Let's learn how to generate SSH key pairs on macOS Sierra.
Bring up a new terminal window on macOS by going into Applications/Utilities and opening "Terminal".
The ssh-keygen
command provides an interactive command line interface for
generating both the public and private keys. Invoke ssh-keygen
with the
following -t
and -b
arguments to ensure we get a 4096 bit RSA key. Note
that you must use a key with 2048 or more bits in macOS Sierra or the
system will not allow you to connect to servers with it.
Optionally, you can also specify your email address with -C
(otherwise
one will be generated off your current macOS account):
ssh-keygen -t rsa -b 4096 -C [email protected]
The first prompt you will see asks where to save the key. However, there are actually two files that will be generated: the public key and the private key.
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/matt/.ssh/id_rsa):
This prompt refers to the private key and whatever you enter will also
generate a second file for the public key that has the same name and .pub
appended.
If you already have a key then specify a new filename. I use many SSH keys so I oftne name them "test-deploy", "prod-deploy", "ci-server" along with a unique project name. Naming is one of those hard computer science problems, so take some time to come up with a system that works for you!
Next you will see a prompt for an optional passphrase:
Enter passphrase (empty for no passphrase):
Whether or not you want a passphrase depends on how you will use the key. The system will ask you for the passphrase whenever you use the SSH key, although macOS can store the passphrase in your system Keychain after the first time you enter it. However, if you are automating deployments with a continuous integration server like Jenkins then you will not want a passphrase.
Note that it is impossible to recover a passphrase if it is lost. Keep that passphrase safe and secure because otherwise a completely new key would have to be generated.
Enter the passphrase (or just press enter to not have a passphrase) twice. You'll see some output like the following:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/matt/.ssh/deploy_prod.
Your public key has been saved in /Users/matt/.ssh/deploy_prod.pub.
The key fingerprint is:
SHA256:UnRGH/nzYzxUFS9jjd0wOl1ScFGKgW3pU60sSxGnyHo [email protected]
The key's randomart image is:
+---[RSA 4096]----+
| ..+o++**@|
| . +.o*O.@=|
| . oo*=B.*|
| . . =o=+ |
| . S E. +oo |
| . . . =.|
| . o|
| |
| |
+----[SHA256]-----+
Your SSH key is ready to use!
Now that you have your public and private keys, I recommend building and deploying some Python web apps such as:
Additional ssh-keygen
command resources:
Questions? Contact me via Twitter @fullstackpython or @mattmakai. I'm also on GitHub with the username mattmakai.
See something wrong in this post? Fork this page's source on GitHub and submit a pull request.