Ansible - Getting Started with SSH

By default, Ansible uses SSH to connect to managed nodes (e.g. target systems).


The ansible-doc command can be used to display the different type of protocols that can be used, such as SSH, Paramiko SSH, local, and so on. The --connection command line option can be used to specify the connection plugin that is used.

ansible-playbook foo.yml --connection=ssh


Or you could define the connection plugin to use in your default inventory file.



SSH user

When using the ansible-playbook command, there are numerous ways to define the user that will make the SSH connection.

If none of the above are used, the user that invokes the ansible-playbook command will be the user that is used for the SSH connection.

Known hosts

When making an SSH connection to a managed node, if the public certificate of the managed node (server1 in this example) is not listed in the /etc/ssh/ssh_known_hosts or /home/username/.ssh/known_hosts file on the control node, a prompt will appear stating The authenticity of host 'hostname (ip address)' can't be established, like this.

The authenticity of host 'server1 (' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?


Typing yes and pressing enter will append the key of the managed node to the known hosts file on the control node. Or, the known_hosts module can be used to append the managed nodes key to your known hosts file.



SSH has a couple different authentication method.

  • Password authentication
  • Public/Private key authentication

The SSH server will be configured with password authentication, passwordless authentication, or both. The ssh command with the -v (verbose) flag can be used to determine the authentication methods of the SSH server, which should return something like this.

debug1: Authentications that can continue: publickey,password


If you attempt to make a connection to a managed node and Ansible has not been configured for SSH, unreachable most likely be returned. | UNREACHABLE! => {	
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey, password).",
    "unreachable": true 


Password authentication

If the SSH server is configured to accept password authentication, command line flag --ask-pass can be used to prompt for your SSH password when issuing an Ansible command. Or, you could configure the default hosts file with your SSH username and password. However, both of these approaches are not ideal, as they use a clear text password. A much better solution is to use an encrypted password for SSH.

Passwordless authentication

If the SSH server is configured to accept passwordless authentication, and the managed nodes are a Linux distribution, and OpenSSH is being used on each managed node, the ssh-keygen command can be used to create your users private key (such as id_rsa) and public certificate (such as on the control node. While you could use the openssh_keypair module or user module with the delegate_to: localhost parameter to create your users keypair, this usually doesn't make much since, since the generation of your users keypair is typically a one time task.



Then the authorized_key module with the --ask-pass can be used to append the users public key to the managed nodes authorized_keys file.

[root@control ~] ansible-playbook ssh.yml --ask-pass


If you are not root, you may need to use the become command line flags.

[john.doe@control ~] ansible-playbook ssh.yml --ask-pass --become --become-method=sudo --become-user=root --ask-become-pass


If you are connecting to a managed node as some other user, you may need to include remote_user in the playbook.

- hosts: aws
  remote_user: ec2-user
  - name: touch /tmp/foo.txt
      path: /tmp/foo.txt
      state: touch


After this has been done, then passwordless SSH connections can be made to the managed node without having to use the --ask-pass flag.

[root@control ~] ansible-playbook ssh.yml


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter c593a in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |