FreeKB - Getting Started with SSH
Ansible - Getting Started with SSH

This assumes you have installed Ansible.

By default, Ansible uses SSH to connect to the target server(s).

 

This can be changed to some other protocol. However, assuming you'll be using SSH, you must be able to make an SSH connection from the Ansible server to the target server(s). The ssh command (on Linux) can be used to determine if you are able to make an SSH connection from the Ansible server to the target server(s).

SSH has a couple different authentication method.

  • Password authentication
  • Public/Private key authentication

The SSH server will be configured with password authentcation, passwordless authentication, or both. The ssh command with the -v (verbose) flag can be used to determine the authentication methods of the SSH server.

If you attempt to make a connection to a target server and Ansible has not been configured for SSH, the following will most likely be displayed.

server1.example.com | UNREACHABLE! => {	
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey, password).",
    "unreachable": true 
}

 

Password authentication

If the SSH server is configured to accept password authentication, command line flags --ask-pass or --ask-become-pass can be used to prompt for your SSH password when issuing an Ansible command. Or, you could configure the /etc/ansible/hosts file with your SSH username and password.

However, both of these approaches are not ideal, as they use a clear text password. A much better solution is to use an encrypted password for SSH.

Passwordless authentication

If the SSH server is configured to accept passwordless authentication, and the target servers are a Linux distribution, and OpenSSH is being used on each target server, refer to public key authentication with OpenSSH on Linux to configure passwordless SSH authentication between the servers.

 

Known hosts

Regardless if you are using a password or passwordless authentication, when using the ssh command to make an SSH connection to a target server, if the public certificate of the targer server (server1.example.com in this example) is not listed in the /etc/ssh/ssh_known_hosts or /home/username/.ssh/known_hosts file on the Ansible server, a prompt will appear stating The authenticity of host 'hostname (ip address)' can't be established.

ssh john.doe@server1.example.com
. . .
The authenticity of host 'server1 (192.168.0.5)' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?

 

The same exact output will be displayed when using the ansible command or ansible-playbook command, like this.

ansible all -m ping
. . .
The authenticity of host 'server1 (192.168.0.5)' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?

 

Typing yes and pressing enter will display the following. Additionally, the public certificate of the targer server will be appended to the /etc/ssh/ssh_known_hosts or /home/username/.ssh/known_hosts file on the Ansible server. As long as the public certificate remains in the known hosts file on the Ansible server, the authenticity of host 'hostname (ip address)' can't be established will not be displayed when making an SSH connection to the target server.

server1.example.org | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

 

If the SSH connection is not successful, fatal will be returned.

Note: Using gather_facts: false in your playbook will supress some, but not all, fatal errors. Using gather_facts: false is discouraged, as this only masks the underlying issue. Instead, you should identify the cause of the fatal error and take approprate action.

Here is an example of one possible fatal return. This error tells you the cause of the issue (host key checking is enabled and sshpass does not support this), and the solution (add this hosts fingerprint to your known_hosts file). Refer to our SSH known_hosts article for more details on the known_hosts file. You could also use the ssh-keyscan command to append the SSH servers public certificate to your known_hosts file.

fatal: [server1.example.com]: FAILED! => {"msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host."}

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter ae463 in the box below so that we can be sure you are a human.




Comments