Hello,
While doing Ansible maintenance work, I discovered that the passlib library used by Ansible (currently only for Mac users) has not seen any release in 3 years.
I am a bit concerned about how interesting it would be as an attack target (especially since it encrypts passwords), e.g. Pypi account take-over.
I have opened various issues:
- https://foss.heptapod.net/python-libs/passlib/-/issues/187 to try to get an update on the passlib maintenance status
- https://github.com/ansible/ansible/issues/81949 to raise awareness about that
While doing so, I have learned that passlib is actually likely to be used for all Ansible users soon, not just Mac ones, which makes an account take-over an even more interesting goal.
The issue has been closed, but I feel this should be taken care of (I have suggested ideas), so I’m voicing my concerns here.
An account take-over of passlib (I don’t know if it has 2FA enabled, for instance) would have potentially massive impact on Ansible users.
If anyone has interesting ideas, let me know!
Thibaut