How to ignore ansible SSH authenticity checking

Question

Is there a way to ignore the SSH authenticity checking made by Ansible  For example when I ve just setup a new server I have to answer yes to this question   GATHERING FACTS                                                                 The authenticity of host  xxx xxx xxx xxx  xxx xxx xxx xxx   can t be established  RSA key fingerprint is xx yy zz      Are you sure you want to continue connecting  yes no     I know that this is generally a bad idea but I m incorporating this in a script that first creates a new virtual server at my cloud provider and then automatically calls my ansible playbook to configure it  I want to avoid any human intervention in the middle of the script execution

User · Answer

Changing host key checking to false for all hosts is a very bad idea   The only time you want to ignore it  is on  first contact   which these two tasks will accomplish       - name  Check SSH known hosts for    inventory hostname          local action  shell ssh-keygen -F    inventory hostname          register  checkForKnownHostsEntry       failed when  false       changed when  false       ignore errors  yes     - name  Add    inventory hostname    to SSH known hosts automatically       when  checkForKnownHostsEntry rc    1       changed when  checkForKnownHostsEntry rc    1       set fact          ansible ssh common args   -o StrictHostKeyChecking no    So we only turn off host key checking if we don t have the host key in our known hosts file

User · Answer

Use the parameter named as validate certs to ignore the ssh validation   - ec2 ami      instance id  i-0661fa8b45a7531a7     wait  yes     name  ansible     validate certs  false     tags        Name  ansible       Service  TestService   By doing this it ignores the ssh validation process

User · Answer

I know the question has been answered and it s correct as well  but just wanted to link the ansible doc where it s explained clearly when and why respective check should be added  host-key-checking

User · Answer

You can pass it as command line argument while running the playbook   ansible-playbook play yml --ssh-common-args  -o StrictHostKeyChecking no

User · Answer

If you don t want to modify ansible cfg or the playbook yml then you can just set an environment variable   export ANSIBLE HOST KEY CHECKING False

User · Answer

I found the answer  you need to set the environment variable ANSIBLE HOST KEY CHECKING to False  For example   ANSIBLE HOST KEY CHECKING False ansible-playbook

User · Answer

Two options - the first  as you said in your own answer  is setting the environment variable ANSIBLE HOST KEY CHECKING to False   The second way to set it is to put it in an ansible cfg file  and that s a really useful option because you can either set that globally  at system or user level  in  etc ansible ansible cfg or    ansible cfg   or in an config file in the same directory as the playbook you are running   To do that  make an ansible cfg file in one of those locations  and include this    defaults  host key checking   False   You can also set a lot of other handy defaults there  like whether or not to gather facts at the start of a play  whether to merge hashes declared in multiple places or replace one with another  and so on  There s a whole big list of options here in the Ansible docs     Edit  a note on security   SSH host key validation is a meaningful security layer for persistent hosts - if you are connecting to the same machine many times  it s valuable to accept the host key locally    For longer-lived EC2 instances  it would make sense to accept the host key with a task run only once on initial creation of the instance     - name  Write the new ec2 instance host key to known hosts     connection  local     shell   ssh-keyscan -H    inventory hostname     gt  gt     ssh known hosts    There s no security value for checking host keys on instances that you stand up dynamically and remove right after playbook execution  but there is security value in checking host keys for persistent machines  So you should manage host key checking differently per logical environment     Leave checking enabled by default  in    ansible cfg  Disable host key checking in the working directory for playbooks you run against ephemeral instances    ansible cfg alongside the playbook for unit tests against vagrant VMs  automation for short-lived ec2 instances

User · Answer

forward to nikobelia  For those who using jenkins to run the play book  I just added to my jenkins job before running the ansible-playbook the he environment variable ANSIBLE HOST KEY CHECKING   False For instance this   export ANSIBLE HOST KEY CHECKING False ansible-playbook  playbook yml    --extra-vars  some vars       --tags  tags name     -vv

User · Answer

The most problems appear when you want to add new host to dynamic inventory  via add host module  in playbook  I don t want to disable fingerprint host checking permanently so solutions like disabling it in a global config file are not ok for me  Exporting var like ANSIBLE HOST KEY CHECKING before running playbook is another thing to do before running that need to be remembered   It s better to add local config file in the same dir where playbook is  Create file named ansible cfg and paste following text    defaults  host key checking   False   No need to remember to add something in env vars or add to ansible-playbook options  It s easy to put this file to ansible git repo

User · Answer

Ignoring checking is a bad idea as it makes you susceptible to Man-in-the-middle attacks  I took the freedom to improve nikobelia s answer by only adding each machine s key once and actually setting ok changed status in Ansible  - name  Accept EC2 SSH host keys   connection  local   become  false   shell        ssh-keygen -F    inventory hostname              ssh-keyscan -H    inventory hostname     gt  gt     ssh known hosts   register  known hosts script   changed when   quot  found  not in known hosts script stdout quot   However  Ansible starts gathering facts before the script runs  which requires an SSH connection  so we have to either disable this task or manually move it to later  - name  Example play   hosts  all   gather facts  no    gather facts AFTER the host key has been accepted instead    tasks       https   stackoverflow com questions 32297456    - name  Accept EC2 SSH host keys     connection  local     become  false     shell          ssh-keygen -F    inventory hostname               ssh-keyscan -H    inventory hostname     gt  gt     ssh known hosts     register  known hosts script     changed when   quot  found  not in known hosts script stdout quot       - name  Gathering Facts     setup   One kink I haven t been able to work out is that it marks all as changed even if it only adds a single key  If anyone could contribute a fix that would be great

[ssh] How to ignore ansible SSH authenticity checking?

Examples related to ssh

Examples related to ansible