---
- hosts: localhost
  connection: local
  become_method: sudo
  become: yes
  tasks:
   - name: Ensure yubikey is needed for authentication
     lineinfile:
       path: /etc/pam.d/authorization
       regexp: '^auth.*pam_yubico.so.*'
       line: "auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response"
       insertbefore: "^account    required       pam_opendirectory.so"