Ansible Troubleshooting SSH Connection Issues

Resolving Ansible SSH Authentication Errors with Paramiko and pylibssh

Learn how to resolve SSH authentication errors in Ansible due to unestablished host authenticity for seamless playbook execution.

June 12, 2024

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons

#ansible #ssh-connection #paramiko #pylibssh #ansible-troubleshooting #host-key-checking #ansible-playbook #automation #it-infrastructure #ansible-error #known-hosts-file #ansible-configuration #paramiko-error #ssh-authentication #security #ansible-module #ansible_ssh_common_args #devops #system-administration #infrastructure-as-code

Error Overview

When running an Ansible playbook, you may encounter the following error message:

TASK [run show version on remote devices] *****************************************
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
fatal: [10.96.192.10]: FAILED! => {"changed": false, "msg": "paramiko: The authenticity of host '10.96.192.10' can't be established.\nThe ssh-ed25519 key fingerprint is b'REDUCTED'."}

This error indicates a failure in SSH connection due to the inability to establish the authenticity of the host. Below, we provide a detailed explanation of the issue and steps to resolve it.

Error Explanation

Warning: ansible-pylibssh not installed, falling back to paramiko
- This warning means Ansible is using paramiko for SSH connections because pylibssh is not installed. While paramiko is functional, pylibssh is generally more efficient and secure.
Fatal Error: The authenticity of host '10.96.192.10' can't be established.
- This error occurs when the SSH client cannot verify the host’s identity because the host key is not in the known hosts file.

Solutions

Install pylibssh

Installing pylibssh can improve SSH connection efficiency and security:

pip install ansible-pylibssh

Automatically Accept Host Keys

You can configure Ansible to automatically accept host keys by setting the ansible_ssh_common_args variable in your playbook or inventory to disable host key checking. Note that this method can expose you to security risks, such as man-in-the-middle attacks.

Add the following configuration to your ansible.cfg file:

[defaults]
host_key_checking = False

Alternatively, set the ANSIBLE_HOST_KEY_CHECKING environment variable to False:

export ANSIBLE_HOST_KEY_CHECKING=False

Manually Add the Host Key

A more secure approach is to manually add the host key to the known hosts file. This can be done by SSHing into the host manually:

ssh [email protected]

When prompted, accept the host key. This will add it to your ~/.ssh/known_hosts file.

Using Ansible’s Known Hosts Module

Ansible provides a known_hosts module to manage known hosts. You can use this module to ensure the host key is added before making other connections. Here’s an example playbook snippet:

- name: Add host to known hosts
  hosts: localhost
  tasks:
    - name: Ensure the remote host is in known_hosts
      known_hosts:
        name: 10.96.192.10
        key: "ssh-ed25519 AAAA..."
        path: /root/.ssh/known_hosts

Replace "ssh-ed25519 AAAA..." with the actual host key.

Example Playbook with Host Key Checking Disabled

Here’s an example of how to disable host key checking in your playbook:

- name: Run show version on remote devices
  hosts: all
  vars:
    ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
  tasks:
    - name: show version
      command: show version

Conclusion

Choose the solution that best fits your security requirements. Disabling host key checking is quick and easy but less secure. Adding the host key manually or using the known_hosts module is more secure but requires additional setup. Balancing security and convenience is crucial when configuring SSH connections in Ansible.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.