Can Ansible be configured to try multiple SSH keys?

Question

I understand that when running an SSH command with public key authentication, the client will try all the SSH keys it knows about until the host accepts one (https://security.stackexchange.com/questions/182804/how-does-ssh-know-which-public-key-to-use-from-authorized-keys).

When running an Ansible command on a host using SSH there does not seem to be this capability: Ansible requires an SSH private key file to be specified explicitly in ansible.cfg:

private_key_file = /user/.ssh/id_rsa_mykey

In my use case, Ansible is running inside a docker container on Lando. All SSH keys are imported from the user's ssh config directory to a known path in the container. However, I don't necessarily know the name of the one that's needed by Ansible because this is something individual users configure.

Is there a way to make SSH commands issued by Ansible try multiple keys like SSH is designed to do?

Answer 1

Ansible requires an SSH private key file to be specified explicitly in ansible.cfg:

Ansible does not require that you provide a private key file in your ansible.cfg. Since ansible is just calling out to ssh, the preferred place to configure connection credentials is in your ~/.ssh/config file. There, you can configure multiple host-specific keys:

Host host1
  IdentityFile ~/.ssh/key-for-host1

Host host2
  IdentityFile ~/.ssh/key-for-host2

Or you can configure it to try multiple keys in sequence:

Host *.example.com
  IdentityFile ~/.ssh/maybe-this-one
  IdentityFile ~/.ssh/okay-how-about-this-instead

And of course ssh will use any keys present in your ssh agent.