|
|
@@ -29,11 +29,87 @@ git push -u origin master
|
|
|
|
|
|
What we can see is that the user made sure that they had a DNS record for `kyleguy.rome7.com` then installed `hugo`. They pulled a copy of the `pebbleguy.com` repository so that they could execute the `certbot-wrapper.sh` to setup a webserver with a certificate signed by a certificate authority. They then setup a webroot and added a theme to their static site. Lastly they committed their site contained in a new `git` repository to `git.pebbleguy.com`. This is basically what we are going to do in this guide but we need some extra things. We are going to assume that the Windows user already has `git` setup and they know how to use it. They are going to need to connect to a remote server because Windows lacks several basic API calls needed for a reliable server. Idk is reliable is the right word. They lack the `epoll` API and do not support `select` or `poll` and would rely on a third party [tools](https://www.cygwin.com/). That is what I actually mean by 'reliable'. I was saying they need to connect to a remote server which means one needs to be careful and run some commands on the Windows host and some using `SecureShell` on a remote host. In addition files need to be synced between the local and remote side which means we need a few more tools and configs. The installation of `Hugo` is the tiniest bit more complex, due to the differences between `Windows Powershell` the end-of-the-road 'powershell' that is installed on Windows, and `Powershell` the [actively developed](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows) but not installed on any version of Windows. The guide tries to be a little on the verbose side, both becuase I lack clarity, also because this is just a guide hopefully details are useful, but when you fall off a cliff the guide can't catch you, it's just going to watch your inevitible tumble down the mountainside.
|
|
|
|
|
|
-This is supposed to be pre-requisites. If you follow this first some you may be save yourself from difficulties later.
|
|
|
+This is supposed to be pre-requisites. If you follow this first some you may be save yourself from difficulties later. To follow this guide we adhere to not storing easily exploitable private keys, especially in a hostile environment like Windows. We need several tools to support Windows' lack of priorities in this arena. When we encrypt keys some programs have difficulty with the additional overhead of prompting users to decrypt said keys, oh well.
|
|
|
|
|
|
**Windows does not have ssh-keygen, install it or a replacement:**
|
|
|
|
|
|
-Install
|
|
|
+Install PuTTY by [Simon Tatham](https://www.chiark.greenend.org.uk/~sgtatham/putty/). Besides the SSH Terminal `PuTTY` program there is also a ssh key generator program called `PuTTYgen`.
|
|
|
+
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+**Launch PuTTYgen and generate a key**
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+One can generate any number of ssh-keys, I usually do a 4096-bit RSA key, but I think there is a bug in the `Raspberry PiOS` SecureShell confiuration options that the `Raspberry Pi Foundation` employees have yet to resolve. The other keys types that I commonly use are `ECDSA` and `Ed25519`. If you select the `EdDSA` radio button you can follow along, but feel free to try one of the other key types I mentioned. You then click genrate and move your mouse around a bit in the `Key` window to add a little more noise that what would normally be provided by Windows' entropy pool. Once the key generates, add a comment and a passphrase. You may use one of the passwords that you normally give to Microsoft, your bank, and Amazon. You aren't securing anything super important. Just trying to obscure access like you normally would with your financial details. Is that a tongue in my cheek? Heh.
|
|
|
+
|
|
|
+The last thing to do is save the private key somewhere. I just put it on my Desktop. It is encrypted it isn't going to be useful to anybody without my passphrase.
|
|
|
+
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+**Copy the public key to pebbleguy.com**
|
|
|
+
|
|
|
+In the above screenshot you can see the public key. I will copy this key to pebbleguy.com. The private key stays on this local Windows computer on my desktop. You can just copy the public key to your clipboard and add it to your user's `authorized keys` on pebbleguy.com. When you sign into pebbleguy.com with SecureShell it looks at your authorized keys (a list of public keys) to determine what private keys could be used for authentication. Connect to pebbleguy.com and run the below command. Replace your public key. You can put my public key if you want but I can already sign into my own user using my key so... `echo '{{YOUR_PUBLIC_KEY}}' |tee -a ~/.ssh/authorized_keys`.
|
|
|
+
|
|
|
+*If you used `ssh-keygen` to generate a key there should be a companion tool, `ssh-copy-id` that can be used to help install the public key on a remote server.*
|
|
|
+
|
|
|
+```
|
|
|
+echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYtvZuiyun9DQe/6xrxby0iQeLy+jE1JKrpgRrHKbrT windows computer rclone key for kyleguy' |tee -a ~/.ssh/authorized_keys
|
|
|
+```
|
|
|
+---
|
|
|
+
|
|
|
+**Add a Pageant shortcut to Windows startup**
|
|
|
+
|
|
|
+Encrypting private keys to prevent a number of security flaws will expose us to some harsh realities. Windows' keystore, `Windows Credential Store` is not well known, lacks documentation and is riddled with Microsoftisms. Towards this guide the unsupported nature of the keystore is most impactful. We are going to be using `Rclone` which doesn't natively support decrypting private keys. They do however support requesting an external program to decrypt a key, but not the `Windows Credential Store`. Luckly though, the author of `PuTTY` also wrote a minimal keystore called `Pageant`. It only supports ssh-keys but with ssh-keys being the defacto key this really doesn't matter. We could also use `Gpg4win` which was funded by [Bundesamt für Sicherheit in der Informationstechnik](https://www.bsi.bund.de/DE/Home/home_node.html) (Germany's Federal Office for Information Security) but since we are focused on ssh-keys we are going to use the smaller footprint solution. I say smaller, in today's world both these solutions are microscopic specs of dust compared to the softwares that are considered "lightweight". The `Pageant` software is bundled with the `PuTTY` installer so once you install `PuTTY` we can setup `Pageant` to load when Windows loads.
|
|
|
+
|
|
|
+*If you are using `ssh-keygen` you should also have access to `ssh-agent` which can be configured to aid `Rclone` with encrypted keys. GNU's `GPG-agent` would do the same thing but I'm not sure what would happen if `Rclone` made a request.*
|
|
|
+
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+**Tell Pageant about our key**
|
|
|
+
|
|
|
+Using the shortcut we just created, we will provide `Pageant` a way to find our key.
|
|
|
+
|
|
|
+The Windows properties dialog window has a tab, `Shortcut` with a `taget` property that you will set to a value like this:
|
|
|
+```
|
|
|
+"C:\Program Files\PuTTY\pageant.exe" --encrypted C:\Users\valued-customer\Desktop\windows-rclone-key-for-kyleguy.ppk
|
|
|
+```
|
|
|
+
|
|
|
+The `--encrypted` is a flag that tells `Pageant` that the key is encrypted and to not prompt for the user to enter a passphrase until it is used for the first time. This is an annoyance preventer as by default it will startup with Windows and immediately prompt for the passphrase regardless if you are going to be using the key. When `Pageant` launches it will put a task manager GUI shortcut in the taskbar. One can view what keys `Pageant` knows about. Later `Rclose` will be able to ask `Pageant` to authenticate ourselves with pebbleguy.com.
|
|
|
+
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+**Install Rclone**
|
|
|
+Windows does not have any good generic file synchronization tools. Nick Craig-Wood wrote a synchronization tool focused on commercial cloud storage products and his team ported it to Windows. I've never used it but [Rclone](https://rclone.org/) seems well liked and well supported. Compiled released binaries can be had using the Windows package manager `winget`.
|
|
|
+
|
|
|
+```
|
|
|
+winget install Rclone.Rclone
|
|
|
+```
|
|
|
+---
|
|
|
+
|
|
|
+**Add an Rclone config for kyleguy**
|
|
|
+
|
|
|
+We can tell `Rclone` about our website and a scheme to update the webserver with changes made to our local static site by providing it configuration directives. Using a Windows terminal, we can issue this `Rclone` command to generate a config file. Additional configuration [documentation](https://rclone.org/commands/rclone_config/) is available online. This will make it easier to provide all the details to `Rclone` every time it is envoked.
|
|
|
+
|
|
|
+By default this will put the config file into your Windows AppData path, `C:\Users\valued-customer\AppData\Roaming\rclone\`. This is fine, we could also store the config somewhere else like the repository. I'll include both incase one seems better. Just don't get clever and store your private key in the repository. This config has few little security implications, in mine I leak just my pebbleguy.com username, `jb6113`. As stated earlier we are not leaving unencrypted keys on Windows so we explicitly avoid the directive telling `Rclone` about our key: `key_file "C:\Users\valued-customer\Desktop\windows-rclone-key-for-kyleguy.pem"`. This won't work anyways as our key if formatted as a `.ppk` so the `Rclone` wouldn't be able to read it as-is. Instead we tell `Rclone` to use an ssh-agent, this is set to true by default but we are going to explicitly set it.
|
|
|
+
|
|
|
+Default path:
|
|
|
+```
|
|
|
+rclone config create kyleguy sftp host "pebbleguy.com" user "jb6113" key_use_agent "true"
|
|
|
+```
|
|
|
+
|
|
|
+Copy config to our `Hugo` static site project repository `rclone.conf`:
|
|
|
+```
|
|
|
+cp 'C:\Users\valued-customer\AppData\Roaming\rclone\rclone.conf' 'C:\Users\valued-customer\Desktop\kyleguy\'
|
|
|
+```
|
|
|
+
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
|
|
|
## a place called home, or maybe webroot
|
|
|
Base directory. Home. Root. C Drive. What other names are there? Maybe `A:` or `/`. The place that is the container for the stuff. Or the directory that holds all the files. Folders if you like that better. The `webroot` is a name that does not mean anything except for when you care about it. If it were your job to organize a party you'd probably pick a place and tell everyone to meet there. For this tiny amount of time that location is special. It is ground zero for where the party will happen. People who aren't at the specified location aren't at the party. Your party isn't the only party. In fact it might not even be the only party at the location that you picked. The point is that you picked a location made it special because you said it was. This is the same for a webroot. You are just picking some arbitrary location on a disk and you are going to tell everyone if they want to party at your website they need to go there. When you follow the instructions for the site setup you will need to tell `NginX` about this location. I am going to pick the location and we are going to put some files there to serve up at the party. How long can I draw out this metaphore? Forever.
|
Your Name
