ansible 2.5.4 on OpenBSD 6.3 amd64
config file = /etc/ansible/ansible.cfg
configured module search path =
[u'/home/dspruell/.ansible/plugins/modules',
u'/usr/share/ansible/plugins/modules']
ansible python module location =
/home/dspruell/.local/lib/python2.7/site-packages/ansible
executable location = /home/dspruell/.local/bin/ansible
python version = 2.7.14 (default, Mar 27 2018, 09:57:43) [GCC 4.2.1
Compatible OpenBSD Clang 5.0.1 (tags/RELEASE_501/final)]
I'm working on a role to install and enable pam_duo auth module on
hosts and am having difficulty figuring out the simplest/most elegant
way to enable the packaged profile in Ansible. Unless I'm mistaken the
correct procedure in standard (manual) case is to install the package
(libpam-duo) and then use pam-auth-update(8) to invoke a debconf
dialog to select the Duo auth module. This then modifies
/etc/pam.d/common-auth correctly to add pam_duo.so in correctly. For
what it's worth this is what the selection dialog looks like when not
enabled:
PAM profiles to enable:
[*] Unix authentication
Duo Security two-factor authentication
When the desired change is made (disabling Unix auth, enabling Duo
two-factor) this is the resulting change to debconf selections:
-libpam-runtime libpam-runtime/profiles multiselect unix
+libpam-runtime libpam-runtime/profiles multiselect duo-unix
I've tried using the debconf module to set the selections for
libpam-runtime package, and while I can confirm that it sets the
selections correctly, they aren't applied.... that seems to require
running pam-auth-update(8) afterward to actually activate them.
- name: pam_duo - set package configuration to enable pam_duo auth
module
debconf:
name: libpam-runtime
question: libpam-runtime/profiles
vtype: multiselect
value: duo-unix
tags: [duo]
After execution of this task, the selections reflect correctly:
$ sudo debconf-get-selections |egrep ^libpam-runtime
libpam-runtime libpam-runtime/profiles multiselect duo-unix
libpam-runtime libpam-runtime/override boolean false
libpam-runtime libpam-runtime/no_profiles_chosen error
libpam-runtime libpam-runtime/conflicts error
...but running pam-auth-update suggests that the change is not applied:
PAM profiles to enable:
[*] Unix authentication
Duo Security two-factor authentication
The target files in /etc/pam.d/ also not modified, until
pam-auth-update is used to set the profiles. So is there a way other
than interactive execution of pam-auth-update to configure/activate
the profiles as I'd like?
I know I'm fundamentally misunderstanding something but not sure what,
thanks in advance for help.