Hello,
While doing Ansible maintenance work, I discovered that the passlib library used by Ansible (currently only for Mac users) has not seen any release in 3 years.
I am a bit concerned about how interesting it would be as an attack target (especially since it encrypts passwords), e.g. Pypi account take-over.
I have opened various issues:
While doing so, I have learned that passlib is actually likely to be used for all Ansible users soon, not just Mac ones, which makes an account take-over an even more interesting goal.
The issue has been closed, but I feel this should be taken care of (I have suggested ideas), so I'm voicing my concerns here.
An account take-over of passlib (I don't know if it has 2FA enabled, for instance) would have potentially massive impact on Ansible users.
If anyone has interesting ideas, let me know!
Thibaut
--