Greetings, I'm using Ansible to manage Debian configurations, and am attempting to add a role to enable multi-factor auth in SSH with public keys and Duo (via libpam-duo).
I almost have the configuration I want, but as part of it - once the libpam-duo package is installed - I need to enable the pam_duo.so module correctly with the included profile using pam-auth-update(8). I can execute this program manually and in the curses dialog select the Duo PAM profile and disable the Unix authentication profile. This is basically what this dialog looks like when the program is first run: PAM profiles to enable: [*] Unix authentication [ ] Duo Security two-factor authentication And the desired state when modified: PAM profiles to enable: [ ] Unix authentication [*] Duo Security two-factor authentication The question I have is: how can this be achieved using Ansible (i.e. automation)? So far I've tried to manipulate debconf selections by working backwards (determine the desired setting when it's been configured using pam-auth-update, so I can just set it this way using Ansible) but I'm sure this isn't the approach I need: -libpam-runtime libpam-runtime/profiles multiselect unix +libpam-runtime libpam-runtime/profiles multiselect duo-unix I know that when the proper configuration is triggered that the target files in /etc/pam.d/ are modified, but I can't figure out how to call into pam-auth-update from Ansible to set the profiles. I'd rather use the profile and avoid troublesome manual manipulation of the files under /etc/pam.d. So is there a way other than interactive execution of pam-auth-update to configure/activate the profiles as I'd like? Or put another way, what is the best/correct approach to achieving my goal? -- Darren Spruell phatbuck...@gmail.com