Re: Expired GPG keys of older release
On 6/19/2018 10:55 PM, Adam Cecile wrote: On 06/19/2018 10:48 PM, Don Armstrong wrote: On Tue, 19 Jun 2018, Adam Cecile wrote: That's a pity, don't you think so ? I think Debian should renew the archive key, so we can still verify packages signatures. You can still verify them. Key expiration doesn't make existing signatures invalid. [Indeed, gpgv doesn't even check for expired keys.] With apt ? I had to set allowunauthenticated = 1 in apt.conf, otherwise apt wouldn't install anything. Can you give us the warning/error you're getting? -- John Doe
Re: Expired GPG keys of older release
On 06/19/2018 10:48 PM, Don Armstrong wrote: On Tue, 19 Jun 2018, Adam Cecile wrote: That's a pity, don't you think so ? I think Debian should renew the archive key, so we can still verify packages signatures. You can still verify them. Key expiration doesn't make existing signatures invalid. [Indeed, gpgv doesn't even check for expired keys.] With apt ? I had to set allowunauthenticated = 1 in apt.conf, otherwise apt wouldn't install anything.
Re: USB Host-Host cables
On Tuesday, June 19, 2018 09:59:28 AM to...@tuxteam.de wrote: > Parallel doesn't necessarily mean 8 bit. And 100BaseT sends three voltage > levels over the differential pair, so it's a tad more than 1.5 bits per > "wire". But then, it's 4B5B (because it has to weave in the clock) so > it's a tad less. 1 gigabit uses more pairs, but I guess each one is used > serially (because of clock skew), so it's more like "a bundle of serial", A good description ("bundle of serial"). > and uses a more complex modulation (PAM), so it's more bits/baud even. > > I think the "classical" distinction serial/parallel breaks down a bit > here...
Re: Expired GPG keys of older release
Hello, On Tue, Jun 19, 2018 at 09:52:42PM +0200, john doe wrote: > Reading: > > https://wiki.debian.org/DebianKeyring > > you could try: > > "# Fetch a key from the keyring > $ gpg --keyserver keyring.debian.org --recv-key 0xkeyid" It won't help because the problem isn't that the keys are missing, it's that the keys are expired. All the above will do is get another copy of the key, which is still expired. If you need to use an EOL release, all you can do is ignore the warnings about expired keys. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: trouble installing deb 9.4
On Mon, 18 Jun 2018 19:52:32 +0200 Pascal Hambourg wrote: > > On Monday 18 June 2018 10:42:22 Patrick Bartek wrote: > [snip] > > >> You can't mix UEFI and MBR. It's either one or the other. > > Actually you can. The Debian installer can boot either in legacy BIOS > or native EFI mode. So does a Debian system when installed properly. Good to know there's been progress. Last time I researched this option when installing Wheezy (5 years ago) on a multi-boot set up that was all MBR, it was not recommended to mix-n-match. I had Windows XP as one of the OSes, too. That system is still alive and well though the hardware has been upgraded numerous times, and only holds two OSes now -- Wheezy and Stretch, it's still MBR It was juat easier to install Stretch that way even though I chainload it off Wheezy's grub. (I prefer to keep OS grubs separate.) Plus, I had no real need of the features that UEFI offers. KISS -- Keep It Simple, Stupid. FWIW: I run old XP in a VM now. Actually, it performs better than running it natively. B
Re: port knocking
On 19.06.2018 22:24, john doe wrote: > On 6/19/2018 10:04 PM, basti wrote: >> Hello, >> I try use use port knocking and would be happy to do this in ssh config >> file. >> >> To open the port I can use ProxyCommand with an wrapper script like >> >> ProxyCommand bash -c 'wrapper.sh %h port1 port2 ... portX; nc %h %p' >> >> so far so good. >> >> But if I understand port knocking in the right way I must close the port >> after disconnect? >> >> I havened found a way for this like post-connect in ssh config. >> >> Has anyone a suggestion how it can be implemented? >> > > Any reasons why you can't let your firewall handle the port nocking > functionality? > I open the port with iptables, and than? can you please explain?
Re: port knocking
On 6/19/2018 10:30 PM, basti wrote: On 19.06.2018 22:24, john doe wrote: On 6/19/2018 10:04 PM, basti wrote: Hello, I try use use port knocking and would be happy to do this in ssh config file. To open the port I can use ProxyCommand with an wrapper script like ProxyCommand bash -c 'wrapper.sh %h port1 port2 ... portX; nc %h %p' so far so good. But if I understand port knocking in the right way I must close the port after disconnect? I havened found a way for this like post-connect in ssh config. Has anyone a suggestion how it can be implemented? Any reasons why you can't let your firewall handle the port nocking functionality? I open the port with iptables, and than? can you please explain? I can only give you this: https://wiki.archlinux.org/index.php/Port_knocking#Port_knocking_with_iptables_only https://askubuntu.com/questions/867261/ssh-client-port-knocking-execute-command-before-connecting From what I understand you don't need to close the ports after connection. -- John Doe
Re: Expired GPG keys of older release
On Tue, 19 Jun 2018, Adam Cecile wrote: > That's a pity, don't you think so ? I think Debian should renew the > archive key, so we can still verify packages signatures. You can still verify them. Key expiration doesn't make existing signatures invalid. [Indeed, gpgv doesn't even check for expired keys.] -- Don Armstrong https://www.donarmstrong.com Where I sleep at night, is this important compared to what I read during the day? What do you think defines me? Where I slept or what I did all day? -- Thomas Van Orden of Van Orden v. Perry
Re: port knocking
On 19.06.2018 22:24, john doe wrote: > On 6/19/2018 10:04 PM, basti wrote: >> Hello, >> I try use use port knocking and would be happy to do this in ssh config >> file. >> >> To open the port I can use ProxyCommand with an wrapper script like >> >> ProxyCommand bash -c 'wrapper.sh %h port1 port2 ... portX; nc %h %p' >> >> so far so good. >> >> But if I understand port knocking in the right way I must close the port >> after disconnect? >> >> I havened found a way for this like post-connect in ssh config. >> >> Has anyone a suggestion how it can be implemented? >> > > Any reasons why you can't let your firewall handle the port nocking > functionality? > I open the port with iptables, and than? can you please explain?
Re: port knocking
On 6/19/2018 10:04 PM, basti wrote: Hello, I try use use port knocking and would be happy to do this in ssh config file. To open the port I can use ProxyCommand with an wrapper script like ProxyCommand bash -c 'wrapper.sh %h port1 port2 ... portX; nc %h %p' so far so good. But if I understand port knocking in the right way I must close the port after disconnect? I havened found a way for this like post-connect in ssh config. Has anyone a suggestion how it can be implemented? Any reasons why you can't let your firewall handle the port nocking functionality? -- John Doe
port knocking
Hello, I try use use port knocking and would be happy to do this in ssh config file. To open the port I can use ProxyCommand with an wrapper script like ProxyCommand bash -c 'wrapper.sh %h port1 port2 ... portX; nc %h %p' so far so good. But if I understand port knocking in the right way I must close the port after disconnect? I havened found a way for this like post-connect in ssh config. Has anyone a suggestion how it can be implemented? Best Regards, Basti
Re: Expired GPG keys of older release
On 6/19/2018 8:33 PM, john doe wrote: On 6/19/2018 9:22 AM, Adam Cecile wrote: Hello, GPG key that signed the Squeeze repo is now expired. How should I handle this properly ? Despite the key is expired, it use to be valid and I don't like much the idea of going for [trusted=yes] for each impacted sources.list entry. Sadly, if the expiry date of the key is not extended there is little you can do beyond insuring that the key in your keyring is up-to-date which is normaly done automatically on Debian. Googling this gives some things to try. Reading: https://wiki.debian.org/DebianKeyring you could try: "# Fetch a key from the keyring $ gpg --keyserver keyring.debian.org --recv-key 0xkeyid" Where <0xkeyid> is the keyid to be updated. $ --refresh-keys I don't use squeeze so I can't properly test it! :) -- John Doe
Show event from KOrganizer to Panel calendar
Hi all! I am currently using Debian Stretch and I would like to see the events configured in KOrganizer (which in turn synchronizes with Horde) in the calendar that is displayed when I click on the clock. I have been able to show the holidays but I was researching for the way to show the personalized events in KOrganizer but I have not been able to get it. Any clues would be appreciated. Thanks in advance. Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: Expired GPG keys of older release
That's a pity, don't you think so ? I think Debian should renew the archive key, so we can still verify packages signatures. On June 19, 2018 8:33:21 PM GMT+02:00, john doe wrote: >On 6/19/2018 9:22 AM, Adam Cecile wrote: >> Hello, >> >> >> GPG key that signed the Squeeze repo is now expired. How should I >handle >> this properly ? Despite the key is expired, it use to be valid and I >> don't like much the idea of going for [trusted=yes] for each impacted > >> sources.list entry. >> > >Sadly, if the expiry date of the key is not extended there is little >you >can do beyond insuring that the key in your keyring is up-to-date which > >is normaly done automatically on Debian. > >Googling this gives some things to try. > >-- >John Doe -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Expired GPG keys of older release
On 6/19/2018 9:22 AM, Adam Cecile wrote: Hello, GPG key that signed the Squeeze repo is now expired. How should I handle this properly ? Despite the key is expired, it use to be valid and I don't like much the idea of going for [trusted=yes] for each impacted sources.list entry. Sadly, if the expiry date of the key is not extended there is little you can do beyond insuring that the key in your keyring is up-to-date which is normaly done automatically on Debian. Googling this gives some things to try. -- John Doe
Re: Using config management to automate pam-auth-update(8) change
Darren S. wrote: > I know that when the proper configuration is triggered that the target > files in /etc/pam.d/ are modified, but I can't figure out how to call > into pam-auth-update from Ansible to set the profiles. I'd rather use > the profile and avoid troublesome manual manipulation of the files > under /etc/pam.d. So is there a way other than interactive execution > of pam-auth-update to configure/activate the profiles as I'd like? Or > put another way, what is the best/correct approach to achieving my > goal? I would say do whatever fits your needs best. There is often no correct approach, but rather preferred. I would just save the modified files to the ansible repository and copy them over (perhaps let ansible make backup before copy), or alternatively use diff and patch (assuming target files are default and same everywhere). regards
Re: USB Host-Host cables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 19, 2018 at 09:11:43AM -0400, rhkra...@gmail.com wrote: > On Tuesday, June 19, 2018 08:02:11 AM Richard Hector wrote: > > On 19/06/18 23:47, rhkra...@gmail.com wrote: > > > On Monday, June 18, 2018 11:27:55 PM Stefan Monnier wrote: > > >> So I think your cable is much less "Serial" than you think. > > > > > > Just because I'm tired of seeing this thread (even though I make an often > > > feeble attempt to ignore it), I will mention that Ethernet is serial ;-) > > > (full duplex in many cases) > > > > Ah, but is it still? > > > > Gigabit (1000base-T) uses all 4 pairs simultaneously, and also encodes > > multiple bits per symbol, which I think makes it effectively parallel. > > Well, I'm not familiar with gigabit Ethernet. But even using all 4 pairs > simultaneously means that it might be some combination of serial and parallel > (I mean, 4 pairs isn't sufficient to carry 8 bits in parallel). Parallel doesn't necessarily mean 8 bit. And 100BaseT sends three voltage levels over the differential pair, so it's a tad more than 1.5 bits per "wire". But then, it's 4B5B (because it has to weave in the clock) so it's a tad less. 1 gigabit uses more pairs, but I guess each one is used serially (because of clock skew), so it's more like "a bundle of serial", and uses a more complex modulation (PAM), so it's more bits/baud even. I think the "classical" distinction serial/parallel breaks down a bit here... Cheers - -- t -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlspDD8ACgkQBcgs9XrR2ka6SQCeO+qm5efz53V2P14joV1kJiq8 2JUAn2YewcteQgmpMJyUOODGXnIpmTDj =2xp1 -END PGP SIGNATURE-
Re: USB Host-Host cables
On Tuesday, June 19, 2018 08:43:44 AM Curt wrote: > I was going to tell DW upthread a tad that grilled bread was complicated > because all the complexity was built into the toaster. > > But I didn't. > > You either subscribe to Owlett's idiosyncratic, infuriatingly > wrong-headed, utterly intractable and narrow world or you do not. > > There is no middle ground. ;-) (and +1)
Re: USB Host-Host cables
On Tuesday, June 19, 2018 08:02:11 AM Richard Hector wrote: > On 19/06/18 23:47, rhkra...@gmail.com wrote: > > On Monday, June 18, 2018 11:27:55 PM Stefan Monnier wrote: > >> So I think your cable is much less "Serial" than you think. > > > > Just because I'm tired of seeing this thread (even though I make an often > > feeble attempt to ignore it), I will mention that Ethernet is serial ;-) > > (full duplex in many cases) > > Ah, but is it still? > > Gigabit (1000base-T) uses all 4 pairs simultaneously, and also encodes > multiple bits per symbol, which I think makes it effectively parallel. Well, I'm not familiar with gigabit Ethernet. But even using all 4 pairs simultaneously means that it might be some combination of serial and parallel (I mean, 4 pairs isn't sufficient to carry 8 bits in parallel). Encoding multiple bits per symbol doesn't (imho) make it parallel. Just a different encoding.
Re: Tea4CUPS: TEABILLING reports error
On Mon 18 Jun 2018 at 22:04:50 +0200, Rainer Dorsch wrote: > Hi Brian, > > thank you for your response and please apologize for my slow response. No problem. > On Donnerstag, 31. Mai 2018 20:04:22 CEST Brian wrote: > > Your tea4cups.conf is poorly. Here is a minimal one which works for me: > > [Global] > > debug : yes > > directory : /var/spool/cups/ > > prehook_sispmctl : sispmctl -ng 4 2> /tmp/SISPMCTL > > Hmmmine does not look so much different, I edited them template shipped > by > Debian: > > rd@b370:/var/log/cups$ grep -v '^#' /etc/cups/tea4cups.conf |grep -v '^$' > [global] > directory : /var/spool/cups/ > prehook_sispmctl : /usr/local/bin/printeron > rd@b370:/var/log/cups$ > > ... > > I had to change [Global]-> [global] in your config (?) A typo. Sorry. [Snip] > root@b370:/etc/cups# lpadmin -p virtq -v tea4cups:// -E -m raw > lpadmin: Raw queues are deprecated and will stop working in a future version > of CUPS. > root@b370:/etc/cups# Nothing to worry about (yet). > > 3. Print to virtq: > > > > lp -d virtq /etc/services > > root@b370:/etc/cups# lp -d virtq /etc/services > Anfrage-ID ist virtq-40 (1 Datei(en)) > root@b370:/etc/cups# > > > > 4. cat /tmp/SISPMCTL and look at the error_log. > > rd@b370:~$ cat /tmp/SISPMCTL > rd@b370:~$ > > not sure why this is empty... (?) The hook completes without a warning. I get told that no GEMBIRD SIS-PM is found. > but no entry in the error_log So, the hook works. > > 5. Test with your original queue and my tea4cups.conf. > > same behavior as above, printeron is executed when issuing > > lp -d virtq /etc/services > > But when printing on my queue [Snip] > I get the same error_log again: [Snip] > Is my DeviceURI wrong? You mean "tea4cups:/http://hpljwlan:631/ipp/";? Advice on an IPP URI is at https://wiki.debian.org/PrintQueuesCUPS Or use tea4cups:/socket://... instead. [Snip] -- Brian.
Re: USB Host-Host cables
On 2018-06-19, rhkra...@gmail.com wrote: > On Monday, June 18, 2018 11:27:55 PM Stefan Monnier wrote: >> So I think your cable is much less "Serial" than you think. > > Just because I'm tired of seeing this thread (even though I make an often > feeble attempt to ignore it), I will mention that Ethernet is serial ;-) > (full duplex in many cases) > I was going to tell DW upthread a tad that grilled bread was complicated because all the complexity was built into the toaster. But I didn't. You either subscribe to Owlett's idiosyncratic, infuriatingly wrong-headed, utterly intractable and narrow world or you do not. There is no middle ground.
Re: USB Host-Host cables
On 19/06/18 23:47, rhkra...@gmail.com wrote: > On Monday, June 18, 2018 11:27:55 PM Stefan Monnier wrote: >> So I think your cable is much less "Serial" than you think. > > Just because I'm tired of seeing this thread (even though I make an often > feeble attempt to ignore it), I will mention that Ethernet is serial ;-) > (full duplex in many cases) Ah, but is it still? Gigabit (1000base-T) uses all 4 pairs simultaneously, and also encodes multiple bits per symbol, which I think makes it effectively parallel. Richard signature.asc Description: OpenPGP digital signature
Re: USB Host-Host cables
On Monday, June 18, 2018 11:27:55 PM Stefan Monnier wrote: > So I think your cable is much less "Serial" than you think. Just because I'm tired of seeing this thread (even though I make an often feeble attempt to ignore it), I will mention that Ethernet is serial ;-) (full duplex in many cases)
Re: USB Host-Host cables
On 06/18/2018 10:27 PM, Stefan Monnier wrote: I have what is essentially a "USB->Serial" - "Serial->USB" Cable. Ethernet is *NOT* involved - though there are topological similarities. I don't have factual knowledge of what you have, indeed, but you said: I have purchased a USB Host-Host cable based on the PL-25A1 chipset. While this probably doesn't use Ethernet internally, I believe it will behave (seen from both machines) exactly as two USB-to-Ethernet adapters connected via an Ethernet cable. Indeed. There is appropriate software in current kernels to accomplish that. For example, the "cable" will typically appear as a "usb0" network interface (as is the case for USB-to-ethernet adapters) rather than as a /dev/ttyUSB0 serial device. So I think your cable is much less "Serial" than you think. The chip involved is reportedly based on the manufacturers USB-serial chip.
Re: netboot images for Debian 9 seems is broken?
On Mon, Jun 18, 2018 at 07:24:25PM +, Andy Smith wrote: > Hello, > > Yes. When you PXE boot, the kernel and initramfs comes from the > netboot image that you downloaded in the past, but the archive will > be different after a point release which can result in the > installer's failure to load certain essential modules like > filesystems. > > So in my experience every time there is a point release you need to > re-download the netboot images that you are serving over PXE as > well. > > > Are the PXE installers known to be a little flaky? > > I've got along with them okay as long as I remember to download a > new one after every point release. > > I'm not 100% sure this is OP's problem (the Ubuntu reference is > alarming), but if I was OP I'd certainly try doing that first. > Thanks for the tip about the point releases. I didn't know that. Previously I've updated the kernel and initrd each time there's a full release. That might well explain why I've found it a bit unreliable in the past. Last night I downloaded the kernel and initrd that the OP was complaining about (from the link they provided) and ironically it fixed my issue :-) According to my preseed file, I'm using ftp.uk.debian.org/debian. I guess the OP must be pointing at the wrong archive. Thanks again for the tip, I'll resolve to update with each Point Release in future! Mike. signature.asc Description: PGP signature
Expired GPG keys of older release
Hello, GPG key that signed the Squeeze repo is now expired. How should I handle this properly ? Despite the key is expired, it use to be valid and I don't like much the idea of going for [trusted=yes] for each impacted sources.list entry. Thanks in advance, Adam.
Re: want pinning with examples to prevent unwanted package(s) from being installed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 19, 2018 at 04:23:12AM -0400, Felix Miata wrote: > Jimmy Johnson composed on 2017-08-31 22:03 (UTC-0700): > > > Felix Miata wrote: [...] > > #dpkg-hold 'package-name' > > #dpkg-unhold 'package-name' > > dpkg hold > dpkg-hold > dpkg -hold > dpkg --hold > > All produce command-not-found or unknown option messages (in Buster). Perhaps dlocate is the package you're looking for: tomas@trotzki:~$ apt-file search dpkg-hold dlocate: /usr/sbin/dpkg-hold dlocate: /usr/share/man/man8/dpkg-hold.8.gz Man page credits dpkg-hold with doing more or less what you described. Cheers - -- t -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlsoxJoACgkQBcgs9XrR2kYxWQCcC5DKBnZU56X0UDsTLE1RWw2P IsEAnAkDyd070260cRJL1vK29m8l2UdS =X60r -END PGP SIGNATURE-
Re: prevent packages from installing
rv riveravaldez composed on 2018-06-19 03:18 (UTC-0300): >> The man page for apt_preferences is clear as mud about any (pinning) example >> that seems equivalent, or even what name(s) of file(s) are supposed to be to >> create pins. Google so far has been no help. Holding is either being >> ignored, or >> holds are being silently unheld. How do I keep unwanted packages from getting >> installed? >> apt purge xserver-xorg-video-radeon >> Attempting to do so wants to install >> xserver-xorg-video-amdgpu >> xserver-xorg-video-nouveau >> xserver-xorg-video-fbdev >> xserver-xorg-video-vesa >> xserver-xorg-video-vmware >> The only driver I want used is the modesetting driver built into the server. >> Anything else for this installation I would consider broken. > Check if apt-mark does what you need. If I try to hold one of those drivers, then another, it unholds the first, leaving total hold count at one package. If I try to set all the holds in one command, it succeeds (as proven by showhold), then proceeds to try to install the held packages anyway when I try to purge radeon. -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/
Re: want pinning with examples to prevent unwanted package(s) from being installed
Jimmy Johnson composed on 2017-08-31 22:03 (UTC-0700): > Felix Miata wrote: >> Over an hour I've been searching in vain, apparently using broken Google-fu, >> for >> something using examples to explain how to prevent unwanted package(s) from >> being installed via pinning when apt-mark's hold is being disregarded. Anyone >> familiar with an URL that would do this? >> In openSUSE, it's a simple process: >> zypper al unwantedpackagename[version] >> That's all there is to it, other than it also works with wildcards. > #dpkg-hold 'package-name' > #dpkg-unhold 'package-name' dpkg hold dpkg-hold dpkg -hold dpkg --hold All produce command-not-found or unknown option messages (in Buster). -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/
Re: prevent packages from installing
> > The man page for apt_preferences is clear as mud about any (pinning) example > that seems equivalent, or even what name(s) of file(s) are supposed to be to > create pins. Google so far has been no help. Holding is either being ignored, > or > holds are being silently unheld. How do I keep unwanted packages from getting > installed? > > apt purge xserver-xorg-video-radeon > > Attempting to do so wants to install > > xserver-xorg-video-amdgpu > xserver-xorg-video-nouveau > xserver-xorg-video-fbdev > xserver-xorg-video-vesa > xserver-xorg-video-vmware > > The only driver I want used is the modesetting driver built into the server. > Anything else for this installation I would consider broken. Check if apt-mark does what you need.
prevent packages from installing
In openSUSE, adding lock is easy: zypper al packagename So is removing lock: zypper rl packagename ATM, I'm trying to do equivalent in Buster. The man page for apt_preferences is clear as mud about any (pinning) example that seems equivalent, or even what name(s) of file(s) are supposed to be to create pins. Google so far has been no help. Holding is either being ignored, or holds are being silently unheld. How do I keep unwanted packages from getting installed? apt purge xserver-xorg-video-radeon Attempting to do so wants to install xserver-xorg-video-amdgpu xserver-xorg-video-nouveau xserver-xorg-video-fbdev xserver-xorg-video-vesa xserver-xorg-video-vmware The only driver I want used is the modesetting driver built into the server. Anything else for this installation I would consider broken. -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/
Using config management to automate pam-auth-update(8) change
Greetings, I'm using Ansible to manage Debian configurations, and am attempting to add a role to enable multi-factor auth in SSH with public keys and Duo (via libpam-duo). I almost have the configuration I want, but as part of it - once the libpam-duo package is installed - I need to enable the pam_duo.so module correctly with the included profile using pam-auth-update(8). I can execute this program manually and in the curses dialog select the Duo PAM profile and disable the Unix authentication profile. This is basically what this dialog looks like when the program is first run: PAM profiles to enable: [*] Unix authentication [ ] Duo Security two-factor authentication And the desired state when modified: PAM profiles to enable: [ ] Unix authentication [*] Duo Security two-factor authentication The question I have is: how can this be achieved using Ansible (i.e. automation)? So far I've tried to manipulate debconf selections by working backwards (determine the desired setting when it's been configured using pam-auth-update, so I can just set it this way using Ansible) but I'm sure this isn't the approach I need: -libpam-runtime libpam-runtime/profiles multiselect unix +libpam-runtime libpam-runtime/profiles multiselect duo-unix I know that when the proper configuration is triggered that the target files in /etc/pam.d/ are modified, but I can't figure out how to call into pam-auth-update from Ansible to set the profiles. I'd rather use the profile and avoid troublesome manual manipulation of the files under /etc/pam.d. So is there a way other than interactive execution of pam-auth-update to configure/activate the profiles as I'd like? Or put another way, what is the best/correct approach to achieving my goal? -- Darren Spruell phatbuck...@gmail.com