[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Using config management to automate pam-auth-update(8) change


I'm using Ansible to manage Debian configurations, and am attempting
to add a role to enable multi-factor auth in SSH with public keys and
Duo (via libpam-duo).

I almost have the configuration I want, but as part of it - once the
libpam-duo package is installed - I need to enable the pam_duo.so
module correctly with the included profile using pam-auth-update(8). I
can execute this program manually and in the curses dialog select the
Duo PAM profile and disable the Unix authentication profile. This is
basically what this dialog looks like when the program is first run:

    PAM profiles to enable:

          [*] Unix authentication
          [ ] Duo Security two-factor authentication

And the desired state when modified:

    PAM profiles to enable:

          [ ] Unix authentication
          [*] Duo Security two-factor authentication

The question I have is: how can this be achieved using Ansible (i.e.
automation)? So far I've tried to manipulate debconf selections by
working backwards (determine the desired setting when it's been
configured using pam-auth-update, so I can just set it this way using
Ansible) but I'm sure this isn't the approach I need:

-libpam-runtime libpam-runtime/profiles multiselect     unix
+libpam-runtime libpam-runtime/profiles multiselect     duo-unix

I know that when the proper configuration is triggered that the target
files in /etc/pam.d/ are modified, but I can't figure out how to call
into pam-auth-update from Ansible to set the profiles. I'd rather use
the profile and avoid troublesome manual manipulation of the files
under /etc/pam.d. So is there a way other than interactive execution
of pam-auth-update to configure/activate the profiles as I'd like? Or
put another way, what is the best/correct approach to achieving my

Darren Spruell

Reply to: