Reputation: 6583
How to set host_key_checking=false in ansible inventory file?
I would like to use ansible-playbook command instead of 'vagrant provision'. However setting host_key_checking=false in the hosts file does not seem to work.
# hosts file
vagrant ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key
ansible_ssh_user=vagrant ansible_ssh_port=2222 ansible_ssh_host=127.0.0.1
host_key_checking=false
Is there a configuration variable outside of Vagrantfile that can override this value?
Also, how would this work if running ansible from a Kubernetes pod?
Upvotes: 169
Views: 352890
Answers (8)
Reputation: 61641
Due to the fact that I answered this in 2014, I have updated my answer to account for more recent versions of ansible.
Yes, you can do it at the host/inventory level (Which became possible on newer ansible versions) or global level:
inventory:
Add the following.
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
host:
Add the following.
ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
hosts/inventory options will work with connection type ssh and not paramiko. Some people may strongly argue that inventory and hosts is more secure because the scope is more limited.
global:
Ansible User Guide - Host Key Checking
You can do it either in the
/etc/ansible/ansible.cfgor~/.ansible.cfgfile:[defaults] host_key_checking = FalseOr you can setup and env variable (this might not work on newer ansible versions):
export ANSIBLE_HOST_KEY_CHECKING=False
Kubernetes:
- You can also run a ansible head node as a Kubernetes pod like described here.
In this case you can use any of the global options above.
Upvotes: 277
Reputation: 6802
With a new IP address on a DNS name with a new host key, ansible can connect with this in ansible.cfg.
[ssh_connection]
ssh_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no'
Mitigates:
- WARNING: POSSIBLE DNS SPOOFING DETECTED!
- WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
Upvotes: 0
Reputation: 13560
For people who come here and are using the network_cli connection plugin instead of ssh and therefore are using either paramiko or libssh for SSH, you can disable host key checking, if you add this to your host in your inventory:
ansible_host_key_checking=false
Upvotes: 0
Reputation: 24864
Yes, you can set this on the inventory/host level.
With an already accepted answer present, I think this is a better answer to the question on how to handle this on the inventory level. I consider this more secure by isolating this insecure setting to the hosts required for this (e.g. test systems, local development machines).
What you can do at the inventory level is add
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
or
ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
to your host definition (see Ansible Behavioral Inventory Parameters).
This will work provided you use the ssh connection type, not paramiko or something else).
For example, a Vagrant host definition would look like…
vagrant ansible_port=2222 ansible_host=127.0.0.1 ansible_ssh_common_args='-o StrictHostKeyChecking=no'
or
vagrant ansible_port=2222 ansible_host=127.0.0.1 ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
Running Ansible will then be successful without changing any environment variable.
$ ansible vagrant -i <path/to/hosts/file> -m ping
vagrant | SUCCESS => {
"changed": false,
"ping": "pong"
}
In case you want to do this for a group of hosts, here's a suggestion to make it a supplemental group var for an existing group like this:
[mytestsystems]
test[01:99].example.tld
[insecuressh:children]
mytestsystems
[insecuressh:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
Upvotes: 85
Reputation: 10113
You set these configs either in the /etc/ansible/ansible.cfg or ~/.ansible.cfg or ansible.cfg(in your current directory) file
[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
tested with ansible 2.9.6 in ubuntu 20.04
Upvotes: 0
Reputation: 1072
Adding following to ansible config worked while using ansible ad-hoc commands:
[ssh_connection]
# ssh arguments to use
ssh_args = -o StrictHostKeyChecking=no
Ansible Version
ansible 2.1.6.0
config file = /etc/ansible/ansible.cfg
Upvotes: 0
Reputation: 17
In /etc/ansible/ansible.cfg uncomment the line:
host_key_check = False
and in /etc/ansible/hosts uncomment the line
client_ansible ansible_ssh_host=10.1.1.1 ansible_ssh_user=root ansible_ssh_pass=12345678
That's all
Upvotes: 0
Reputation: 858
I could not use:
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
in inventory file. It seems ansible does not consider this option in my case (ansible 2.0.1.0 from pip in ubuntu 14.04)
I decided to use:
server ansible_host=192.168.1.1 ansible_ssh_common_args= '-o UserKnownHostsFile=/dev/null'
It helped me.
Also you could set this variable in group instead for each host:
[servers_group:vars]
ansible_ssh_common_args='-o UserKnownHostsFile=/dev/null'
Upvotes: 5
Related Questions
- Ansible Remove Duplicate IP Address from the inventory host file
- Ansible limit playbook to ansible_hostname in ini inventory
- Ansible - How to match against hosts with certain bool variable?
- How to run Ansible without specifying the inventory but the host directly?
- how to set hostname using inventory file
- Disabling Host key checking on playbook definition
- How to change host value for ansible while running using ansible-python module?
- How to override hosts variable in ansible_playbook
- Adding hosts to Ansible host file
- Can't disable Ansible's host key checking