182} How do I protect a script, e.g. for a safe access of user passwords?
Probably the safest solution is to utilize PGP-encryption. E.g. one
could prepare with an MS-DOS PGP program the following file in a
PGP-encrypted format only. (For the details of how to encrypt a file
download the PGP program package given further down and read its
documentation.)
@echo off
:: Set the users and passwords information
set user1_=foouser
set pass1_=foopassword
To utilize that encrypted information one might have e.g. the
following plain script
@echo off & setlocal enableextensions
rem Note: Avoid using long filenames (a PGP old version limitation)
::
if defined ProgramW6432 (
echo/
echo Exiting: %~f0 is incompatible with a 64-bit OS
goto :EOF)
::
:: A temporary folder
set temp_=%temp%
if defined mytemp if exist "%mytemp%\" set temp_=%mytemp%
::
:: The location of the encrypted and decrypted scripts
set EncryptedBatch=C:\_M\batch.pgp
set DecryptedBatch=%temp_%\batch.cmd
::
call :DecryptFile %EncryptedBatch% %DecryptedBatch%
::
call %DecryptedBatch%
::
:: Just for demonstration show that it worked
echo user1_=%user1_%
echo pass1_=%pass1_%
::
:: Clean up
for %%f in (%DecryptedBatch%) do if exist %%f del %%f
for %%v in (user1_ pass1_) do set %%v=
::
endlocal & goto :EOF
::
:: A decryption subroutine utilizing
:: 306805 Jan 18 1996 pgp263i.zip
:: Pretty Good Privacy RSA public key cryptography, P.Zimmermann
:DecryptFile
setlocal enableextensions
set path_=%path%
set tz_=%TZ%
set TZ=Europe/Helsinki
SET PGPPATH=C:\PGP
SET PATH=%PGPPATH%;%PATH%
%PGPPATH%\pgp -d %~1 -o %~2
set path=%path_%
set path_=
set TZ=%tz_%
endlocal & goto :EOF
The (test) output will be something like
C:\_M>C:\_D\TEST\CMDFAQ.CMD
Pretty Good Privacy(tm) 2.6.3i - Public-key encryption for the masses.
(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-01-18
International version - not for use in the USA. Does not use RSAREF.
Current time: 2010/07/19 20:37 GMT
File is encrypted. Secret key is required to read it.
Key for user ID: John Doe <john@doe.fi>
1024-bit key, key ID ABC1234D, created 2003/11/26
You need a pass phrase to unlock your RSA secret key.
Enter pass phrase: Pass phrase is good. Just a moment......
Plaintext filename: C:\_M\TEMP\batch.cmd
user1_=foouser
pass1_=foopassword
One potential true-life usage of the technique is getting or putting
material from or to an FTP site. See
Item #84.
Other encryption solutions than PGP could also be used. Especially,
since the PGP encryption is not quite trivial to install on a PC
the first time. An somewhat easier method is to put the confidential
script into a scrambled zipfile.
@echo off & setlocal enableextensions
::
if defined ProgramW6432 (
echo/
echo Exiting: %~f0 is incompatible with a 64-bit OS.
echo Get e.g. Winzip or similar and its command line plugin
echo and then customize the script accordingly.
goto :EOF)
::
:: A temporary folder
set temp_=%temp%
if defined mytemp if exist "%mytemp%\" set temp_=%mytemp%
::
:: The files and folders
set EncryptedBatch=C:\_M\batch.zip
set DecryptedBatch=batch.cmd
set TargetFolder=%temp_%
::
:: 207394 Mar 1 1999 pk250dos.exe
:: PKWARE zip un/archiver, with long filename support
pkunzip -s "%EncryptedBatch%" "%DecryptedBatch%" "%TargetFolder%"
::
:: Failure?
if not exist "%TargetFolder%\%DecryptedBatch%" (
echo Warning: File "%TargetFolder%\%DecryptedBatch%" not found
echo Incorrect password for decrypting "%EncryptedBatch%"?
goto :EOF)
::
:: Call the script that was unzippped
call "%TargetFolder%\%DecryptedBatch%"
::
:: Just for demonstration show that it worked
echo user1_=%user1_%
echo pass1_=%pass1_%
::
:: Clean up
for %%f in ("%TargetFolder%\%DecryptedBatch%") do if exist %%f del %%f
for %%v in (user1_ pass1_) do set %%v=
endlocal & goto :EOF
The output
C:\_M>C:\_D\TEST\CMDFAQ.CMD
PKUNZIP (R) FAST! Extract Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKUNZIP Reg. U.S. Pat. and Tm. Off.
Password ? **********
· Pentium II class CPU detected.
· XMS version 2.00 detected.
· DPMI version 0.90 detected.
Searching ZIP: C:/_M/BATCH.ZIP
Inflating: C:/_M/TEMP/BATCH.CMD
user1_=foouser
pass1_=foopassword
> What about running it [the sensitive script] through a batch
compiler?
A frequent and understandable suggestion. However, no practically
useful batch compiler is known even if some nominal such programs
exist. A fact of batch programming life that has been discussed every
now and then e.g. in alt.msdos.batch.nt .