passlib (required for Ansible) is unmaintained

[thbar]

Summary

Filing this as a bug report but I do not know if this is the most appropriate way to publish that concern.

passlib is used in place of crypt.crypt when using Ansible on Mac (EDIT: and soon for all users, not only Mac ones, see comment below):

https://github.com/ansible/ansible/blob/46623b0a965b2f87c426b7998e8a167f8b012668/lib/ansible/utils/encrypt.py#L94C44-L94C44

But passlib has not seen any releases nor commits in 3 years, as I've reported here:

https://foss.heptapod.net/python-libs/passlib/-/issues/187#note_331857

I am concerned that Ansible users on Mac (including me) would end up with some troubles:

• security issues if the apparently non-maintained, widely used library gets hacked (& republished on pypi), in particular if 2FA is not enabled for its maintainers over there
• technical debt (e.g. this library becomes incompatible with Python, or dependencies, or something similar) which could cause future Ansible releases to work slightly less well for Mac users

So I'm opening this issue to discuss that concern.

Let me know if there is a better place if needed, happy to move it where relevant.

Thanks!

Issue Type

Bug Report

Component Name

lib/ansible/utils/encrypt.py

Ansible Version

❯ poetry run ansible --version
ansible [core 2.15.4]
  config file = $$REDACTED$$/ansible.cfg
  configured module search path = ['/Users/thbar/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/thbar/Library/Caches/pypoetry/virtualenvs/ansible-$$REDACTED$$-lWrDoP-v-py3.10/lib/python3.10/site-packages/ansible
  ansible collection location = $$REDACTED$$/collections
  executable location = /Users/thbar/Library/Caches/pypoetry/virtualenvs/ansible-$$REDACTED$$-lWrDoP-v-py3.10/bin/ansible
  python version = 3.10.3 (main, Apr 19 2022, 22:04:15) [Clang 12.0.5 (clang-1205.0.22.11)] (/Users/thbar/Library/Caches/pypoetry/virtualenvs/ansible-$$REDACTED$$-lWrDoP-v-py3.10/bin/python)
  jinja version = 3.1.2
  libyaml = True

Configuration

❯ poetry run ansible-config dump --only-changed -t all
COLLECTIONS_PATHS(/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg) = ['/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/collections']
CONFIG_FILE() = /Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg
DEFAULT_HOST_LIST(/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg) = ['/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/inventory']
DEFAULT_LOAD_CALLBACK_PLUGINS(/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg) = True
DEFAULT_ROLES_PATH(/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg) = ['/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/roles', '/Users/thbar/git/$$REDACTED$$/an>
DEFAULT_STDOUT_CALLBACK(/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg) = yaml
DEFAULT_VAULT_IDENTITY_LIST(/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg) = $$REDACTED

CONNECTION:
==========

ssh:
___
pipelining(/Users/thbar/git/$$REDACTED$$/ansible-$$REDACTED$$/ansible.cfg) = True

OS / Environment

Mac OS X Ventura (13).

Steps to Reproduce

1. Install Ansible on a Mac
2. Use encryption related operations
3. Ansible raises an error to inform the user passlib must be installed

Expected Results

I would expect encryption in Ansible on Mac to use a well-maintained library.

(maybe a community fork is needed given the widespread use)

Actual Results

N/A

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibot]

Files identified in the description:

None

If these files are incorrect, please update the component name section of the description or use the component bot command.

[thbar]

@ansibot component =lib/ansible/utils/encrypt.py

[ansibot]

Files identified in the description:

• lib/ansible/utils/encrypt.py

If these files are incorrect, please update the component name section of the description or use the component bot command.

[sivel]

We are aware that passlib isn't exactly actively maintained. However, we are also removing support for the python crypt module as it is deprecated, which will require all uses to use passlib. The official python documentation for the crypt module indicates that passlib is the thing that should be used in it's place. In short, our options are limited, and as such, there isn't anything we plan to do here right now.

If you have further questions please stop by IRC or the mailing list:

• IRC: #ansible on irc.libera.chat
• mailing list: https://groups.google.com/forum/#!forum/ansible-project

[thbar]

@sivel thanks for the feedback!

However, we are also removing support for the python crypt module as it is deprecated, which will require all uses to use passlib.

I am surprised that the issue gets closed as a result - the problem I'm describing is going to affect all Ansible users, instead of just the Mac OS ones.

It makes passlib an even more interesting target for account take-over.

In short, our options are limited, and as such, there isn't anything we plan to do here right now.

I do understand your position (as an OSS maintainer myself :-)), but I believe we should collectively try to ensure the dependencies of the project are not causing harm.

A couple of possibilities are:

• Reaching out to the maintainers of passlib and try to ensure they do have 2FA and/or minimal maintenance team
• Creating a secured fork

I hope you will reconsider opening this issue for visibility!

I will try to help on the passlib side, but so far I haven't got reaction from the maintainers.

[thbar]

If you have further questions please stop by IRC or the mailing list:
IRC: #ansible on irc.libera.chat
mailing list: https://groups.google.com/forum/#!forum/ansible-project

Forgot to add: I will voice my concerns over there, thanks!

[thbar]

Relevant discussion: https://groups.google.com/g/ansible-project/c/5J9gw9kunBY

[adriantombu]

Just passing by to give my voice on this one too! I started reading "Ansible: up and running" yesterday and this excerpt made me think of this issue so much that I had to comment.

« There is no Ansible agent listening on a port. Therefore, when you use Ansible, there is no extra attack surface. (There is still an attack surface with software supply chain elements like Python libraries and other imported). »

Coming from the JavaScript ecosystem, I have seen countless times supply chain attacks leading to disasters. I hope we can avoid a future headache with Ansible by mitigating this potential attack somehow ☺️

[bcoca]

@adriantombu we understand the issue and do not take it lightly, but we do not have the resources to take ownership of yet another dependency nor do we have good alternatives to use as substitutes.

As for hijacking the library, aside from pypi already have taken steps to secure this type of project, most users use distribution packages which add another layer of vetting and security, this one reason why distributions exist and most contexts that require security rely on those packages and not the 'language' package managers. Yes, this is also a reason why developers and system admins/operators have clashed since the dawn of computing ...

Another thing to consider is that this is also limited to the password lookup, password_hash filter and the encrypt option of vars_prompt, none of these are crucial to Ansible's security nor secure communications with the targets.

We closed this ticket because there is no foreseeable code solution. It does not mean we are not looking for one, it is just that none of the work towards that is something we would log here as it is going to be mostly 'we tried/looked into X, nothing happened' x100 times.

[thbar]

@bcoca thanks for the detailed input, appreciated!