Voicing my concerns with passlib (security) and its larger adoption by Ansible

[Thibaut Barrère]

Hello,

While doing Ansible maintenance work, I discovered that the passlib library used by Ansible (currently only for Mac users) has not seen any release in 3 years.

I am a bit concerned about how interesting it would be as an attack target (especially since it encrypts passwords), e.g. Pypi account take-over.

I have opened various issues:

- https://foss.heptapod.net/python-libs/passlib/-/issues/187 to try to get an update on the passlib maintenance status

- https://github.com/ansible/ansible/issues/81949 to raise awareness about that

While doing so, I have learned that passlib is actually likely to be used for all Ansible users soon, not just Mac ones, which makes an account take-over an even more interesting goal.

The issue has been closed, but I feel this should be taken care of (I have suggested ideas), so I'm voicing my concerns here.

An account take-over of passlib (I don't know if it has 2FA enabled, for instance) would have potentially massive impact on Ansible users.

If anyone has interesting ideas, let me know!

Thibaut

--

https://thibautbarrere.com/

https://twitter.com/thibaut_barrere