By default, Ansible uses SSH to connect to managed nodes (e.g. target systems). For this reason, Ansible typically requires relatively easy configuration to run against Linux servers, since most Linux servers are setup with SSH. On the other hand, Windows servers can take a bit of planning, setup, and configuration since typically WinRM (Windows Remote Management) is used instead of SSH for Windows hosts.

The ansible-doc command can be used to display the different type of protocols that can be used, such as SSH, Paramiko SSH, local, and so on. The --connection command line option can be used to specify the connection plugin that is used.

ansible-playbook foo.yml --connection=ssh

Or you could define the connection plugin to use in your default inventory file.

[all:vars]
ansible_connection=paramiko_ssh

SSH user

When using the ansible-playbook command, there are numerous ways to define the user that will make the SSH connection.

• --user command line option
• remote_user parameter
• ansible_user variable in your inventory file
• ansible_user variable in your group_vars file

If none of the above are used, the user that invokes the ansible-playbook command will be the user that is used for the SSH connection.

Known hosts

When making an SSH connection to a server, if the SSH key of the server (server1.example.com in this example) is not listed in the /etc/ssh/ssh_known_hosts or /home/username/.ssh/known_hosts file on the control node (your Ansible server), a prompt will appear stating The authenticity of host 'hostname (ip address)' can't be established, like this.

The authenticity of host 'server1.example.com (10.115.55.189)' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?

Typing yes and pressing enter will append the key of the managed node to the known hosts file on the control node. Or, the known_hosts module can be used to append the managed nodes key to your known hosts file.

Authentication

SSH has a couple different authentication method.

• Password authentication
• Public/Private key authentication

It's important to recognize that the SSH connection will be made as a certain user. In this example, since remote_user: john.doe is included, then the SSH authentication will be for john.doe.

---
- hosts: all
  remote_user: john.doe
  tasks:
  - file:
      path: /tmp/foo.txt
      state: touch
...

If you attempt to make a connection to a managed node and Ansible has not been configured for SSH, UNREACHABLE most likely be returned. Notice in this example that the SSH server can accept john.doe SSH key (publickey) or john.doe SSH password.

server1.example.com | UNREACHABLE! => {	
    "changed": false,
    "msg": "john.doe@server1.example.com Failed to connect to the host via ssh: Permission denied (publickey, password).",
    "unreachable": true 
}

Password authentication

If the SSH server is configured to accept password authentication, the following options can be used.

• --ask-pass command line flag
• configure the default hosts file with your SSH username and password
• create a vault encrypted file that contains your SSH username and password in group_vars or a vault encrypted file that contains your SSH username and password in vars_files

Passwordless authentication

If the SSH server is configured to accept passwordless authentication, and the managed nodes are a Linux distribution, and OpenSSH is being used on each managed node, the ssh-keygen command can be used to create your users private key (such as id_rsa) and public certificate (such as id_rsa.pub) on the control node. While you could use the openssh_keypair module or user module with the delegate_to: localhost parameter to create your users keypair, this usually doesn't make much since, since the generation of your users keypair is typically a one time task.

ssh-keygen

Then the authorized_key module with the --ask-pass can be used to append the users public key to the managed nodes authorized_keys file.

[root@control ~] ansible-playbook ssh.yml --ask-pass

If you are not root, you may need to use the become command line flags.

[john.doe@control ~] ansible-playbook ssh.yml --ask-pass --become --become-method=sudo --become-user=root --ask-become-pass

If you are connecting to a managed node as some other user, you may need to include remote_user in the playbook.

---
- hosts: aws
  remote_user: ec2-user
  tasks:
  - name: touch /tmp/foo.txt
    file:
      path: /tmp/foo.txt
      state: touch
...

After this has been done, then passwordless SSH connections can be made to the managed node without having to use the --ask-pass flag.

[root@control ~] ansible-playbook ssh.yml