Learn through the super-clean Baeldung Pro experience:
>> Membership and Baeldung Pro.
No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
1. Overview
While using Ansible, SSH host key checking can sometimes cause issues with automation. For example, in testing environments or cloud-based infrastructure, we might not need to verify SSH keys. In such cases, instances are frequently created and destroyed. As a result, ignoring SSH host key checks is sometimes the better, albeit temporary, approach.
Ansible usually presents a prompt when connecting to a remote host for the first time. This prompt asks us to verify the authenticity of the host. Thus, we avoid connecting to potentially malicious or spoofed servers. Moreover, this security measure also helps prevent man-in-the-middle attacks. However, such behavior can be inconvenient in testing environments.
In this tutorial, we’ll see how to safely disable SSH authenticity checks in Ansible. In addition, we’ll also see practical examples.
2. Disabling SSH Host Key Checking in Ansible
Ansible offers multiple ways to skip SSH authenticity checks:
- editing the ansible.cfg file
- editing the inventory file
- using the playbook
- using command-line arguments
- setting an environment variable
- updating the SSH config file
Let’s explore each approach with some working examples.
3. Creating a Test Environment
Before moving forward, we create a test environment:
- a virtual machine as the controller, which manages several client machines
- the controller has Ansible installed on it
- SSH is set up (Ansible user has access via key or password)
In all cases, we need to make sure the host keys are in ~/.ssh/known_hosts.
Once all of the above works, we’re all set to use Ansible without SSH host key checks.
4. Using ansible.cfg
We can customize Ansible behavior using the ansible.cfg file. Notably, we can put this file in a few different places depending on the current needs:
- projects: we place the ansible.cfg config file in the same directory as the project playbooks
- system-wide: we place ansible.cfg config file in /etc/ansible/ansible.cfg
Next, we turn off SSH host key checking for global hosts. For this, we edit or update ansible.cfg:
$ cat /etc/ansible/ansible.cfg
...
[defaults]
host_key_checking = FalseAs a result, Ansible stops asking about SSH key approval. We can test the result with a quick ping:
$ ansible all -m ping -i inventory.ymlWith the above setting, there should no longer be a prompt for SSH key approval.
5. Using Inventory File
We can also turn off SSH host key checking just for specific hosts in the inventory file.
For example, in the inventory.ini, we can add custom SSH options:
$ cat inventory.ini
...
[client3]
192.168.29.23 ansible_ssh_common_args='-o StrictHostKeyChecking=no'
...This configuration sets StrictHostKeyChecking=no for client3. Thus, SSH won’t ask for key confirmation when connecting to that host.
To test the configuration, we again run the ping command:
$ ansible all -m ping -i inventory.iniAs a result, SSH connection skips the host key checking for the given host. Moreover, the above method applies only to the given hosts rather than globally.
6. Using Playbook
We can also skip SSH host key checking right inside a playbook. Furthermore, this can be done for just a specific host.
For example, we use the vars section to set the SSH arguments in the playbook:
$ cat ping.yml
- hosts: client1
vars:
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
tasks:
- name: Ping the server
ansible.builtin.ping:Again, we add the same option, StrictHostKeyChecking=no.
Next, we run the playbook:
$ ansible-playbook -i inventory.ini ping.yml
PLAY [client1] ***************************************************************************************
TASK [Gathering Facts] *******************************************************************************
[WARNING]: Platform linux on host...
...As a result, SSH host key checking is disabled for client1.
7. Using Command-Line Argument
If we just want to skip SSH host key checking once without changing config files, we can do it right from the command line:
$ ansible-playbook ping.yml -i inventory.ini --ssh-extra-args="-o StrictHostKeyChecking=no"
PLAY [client1] ***************************************************************************************
TASK [Gathering Facts] *******************************************************************************
[WARNING]: Platform linux on host
...Here, we used the same SSH option as the one in the above playbook.
In fact, we can use this ansible command along with the ping command:
$ ansible all -m ping -e "ansible_ssh_common_args='-o StrictHostKeyChecking=no'" -i inventory.ini
[WARNING]: Platform linux on host
...
192.168.29.21 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3.10"
},
"changed": false,
"ping": "pong"
}Both of the above approaches are great for quick, one-time executions when we don’t want to mess with config files or inventories.
8. Setting Environment Variable
We can also disable SSH host key checking system-wide by setting an environment variable:
$ export ANSIBLE_HOST_KEY_CHECKING=FalseIf we want the changes to be permanent, we can add the above line to our ~/.bashrc or ~/.profile file.
Then we test it out like before:
$ ansible all -m ping -i inventory.ini
[WARNING]: Platform linux on host ...
192.168.29.22 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/..."
},
"changed": false,
"ping": "pong"
}Again, the playbook run doesn’t ask for the host key check.
9. Editing SSH Config File
The SSH client configuration file is kept in ~/.ssh/config.
We can edit the client config to disable host key checking for a host:
$ cat ~/.ssh/config
...
Host 192.168.29.23
StrictHostKeyChecking no
UserKnownHostsFile /dev/nullLet’s again check the SSH functionality via ping:
$ ansible all -m ping -i inventory.iniThe above approach is useful when working with multiple Ansible configurations.
10. Conclusion
In this article, we saw different ways to ignore SSH host key checks in Ansible, which can help speed up repeated or automated tasks in test environments and beyond.
To summarize, there are multiple ways to disable SSH host key checking:
- editing ansible.cfg
- setting the inventory file
- overriding via vars in a playbook
- passing command-line arguments
- using the environment variable
- updating the SSH config file
However, disabling SSH host key checking often has a negative impact on security. For example, this may open the door to potential man-in-the-middle attacks. For this reason, we should only do this in non-production or controlled environments, such as when testing and during development.