Ansible provisioning ERROR! Using a SSH password instead of a key is not possible

Asked 25/2, 2017 at 22:40 Answered 23/12, 2022 at 10:33

Solved ssh vagrant ansible ansible-inventory

I would like to provision with my three nodes from the last one by using Ansible.

My host machine is Windows 10.

My Vagrantfile looks like:

Vagrant.configure("2") do |config|

  (1..3).each do |index|
    config.vm.define "node#{index}" do |node|

      node.vm.box = "ubuntu"
      node.vm.box = "../boxes/ubuntu_base.box"

      node.vm.network :private_network, ip: "192.168.10.#{10 + index}"

      if index == 3
        node.vm.provision :setup, type: :ansible_local do |ansible|
          ansible.playbook = "playbook.yml"
          ansible.provisioning_path = "/vagrant/ansible"
          ansible.inventory_path = "/vagrant/ansible/hosts"
          ansible.limit = :all
          ansible.install_mode = :pip
          ansible.version = "2.0"
        end
      end

    end
  end

end

My playbook looks like:

---

# my little playbook

- name: My little playbook
  hosts: webservers
  gather_facts: false
  roles:
    - create_user

My hosts file looks like:

[webservers]
192.168.10.11
192.168.10.12

[dbservers]
192.168.10.11
192.168.10.13

[all:vars]
ansible_connection=ssh
ansible_ssh_user=vagrant
ansible_ssh_pass=vagrant

After executing vagrant up --provision I got the following error:

Bringing machine 'node1' up with 'virtualbox' provider...
Bringing machine 'node2' up with 'virtualbox' provider...
Bringing machine 'node3' up with 'virtualbox' provider...
==> node3: Running provisioner: setup (ansible_local)...
    node3: Running ansible-playbook...

PLAY [My little playbook] ******************************************************

TASK [create_user : Create group] **********************************************
fatal: [192.168.10.11]: FAILED! => {"failed": true, "msg": "ERROR! Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host."}
fatal: [192.168.10.12]: FAILED! => {"failed": true, "msg": "ERROR! Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host."}

PLAY RECAP *********************************************************************
192.168.10.11              : ok=0    changed=0    unreachable=0    failed=1
192.168.10.12              : ok=0    changed=0    unreachable=0    failed=1

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

I extended my Vagrantfile with ansible.limit = :all and added [all:vars] to the hostfile, but still cannot get through the error.

Has anyone encountered the same issue?

Continuous answered 25/2, 2017 at 22:40 Comment(0)

100

Create a file ansible/ansible.cfg in your project directory (i.e. ansible.cfg in the provisioning_path on the target) with the following contents:

[defaults]
host_key_checking = false

^{provided that your Vagrant box has sshpass already installed - it's unclear, because the error message in your question suggests it was installed (otherwise it would be "ERROR! to use the 'ssh' connection type with passwords, you must install the sshpass program"), but in your answer you add it explicitly (sudo apt-get install sshpass), like it was not}

Dupin answered 26/2, 2017 at 0:34 Comment(2)

It might be confusing for some guys, so please put your ansible.cfg in the same folder as your inventry then run it. – Prognostic 7/5, 2020 at 1:19

ansible.cfg file location is /etc/ansible/ansible.cfg – Hottempered 27/2, 2021 at 4:42

I'm using Ansible version 2.6.2 and solution with host_key_checking = false doesn't work.

Adding environment variable export ANSIBLE_HOST_KEY_CHECKING=False skipping fingerprint check.

Klopstock answered 6/8, 2018 at 7:12 Comment(3)

This is strange as host_key_checking is still referenced in the latest (2.9) doc – Bystander 28/2, 2020 at 11:15

Ok, there is an open issue about this: github.com/ansible/ansible/issues/49254 – Bystander 28/2, 2020 at 11:19

work like a champ. – Immure 26/8, 2023 at 14:52

This error can also be solved by simply export ANSIBLE_HOST_KEY_CHECKING variable.

export ANSIBLE_HOST_KEY_CHECKING=False

source: https://github.com/ansible/ansible/issues/9442

Alessandro answered 15/11, 2018 at 2:14 Comment(1)

but where to write it – Reyreyes 9/9, 2022 at 17:20

run the below command, it resolved my issue

export ANSIBLE_HOST_KEY_CHECKING=False && ansible-playbook -i

Glorygloryofthesnow answered 9/2, 2021 at 18:23 Comment(0)

all provided solutions require changes in global config file or adding environment variable what create problems to onboard new people.

Instead you can add following variable to your inventory or host vars

ansible_ssh_common_args: '-o StrictHostKeyChecking=no'

Subtrahend answered 2/9, 2022 at 17:53 Comment(1)

Perfect answer for my problem – Immure 15/2 at 9:37

This SO post gave the answer.

I just extended the known_hosts file on the machine that is responsible for the provisioning like this:

Snippet from my modified Vagrantfile:

...
if index == 3
    node.vm.provision :pre, type: :shell, path: "install.sh"

    node.vm.provision :setup, type: :ansible_local do |ansible|
...

My install.sh looks like:

# add web/database hosts to known_hosts (IP is defined in Vagrantfile)
ssh-keyscan -H 192.168.10.11 >> /home/vagrant/.ssh/known_hosts
ssh-keyscan -H 192.168.10.12 >> /home/vagrant/.ssh/known_hosts
ssh-keyscan -H 192.168.10.13 >> /home/vagrant/.ssh/known_hosts
chown vagrant:vagrant /home/vagrant/.ssh/known_hosts

# reload ssh in order to load the known hosts
/etc/init.d/ssh reload

Continuous answered 25/2, 2017 at 23:24 Comment(4)

shellscripting workaround. Ansible ensures a better way though! – Continuous 27/2, 2017 at 15:3

To be clear this is all a problem from Vagrant's side via github.com/hashicorp/vagrant/issues/5005, and while inconvenient, security-wise this is actually the correct approach, and the others are actually the workaround. For local development purposes totally go with the simpler disable checking, I don't mean to come across fussy or pedantic, just feel it might be good to clarify for users who are newer to things to be aware of the security implications. I'm just fearing calling it the better way might mislead some. :) – Stilly 7/8, 2019 at 23:4

I am not sure it is worth a new answer at this date, but I just noticed at the official docs for Ansible and Vagrant on Ansible's side docs.ansible.com/ansible/latest/scenario_guides/… they recommend the vagrant config line config.ssh.insert_key = false. Probably easier than ENV vars or .cfg manipulation. – Stilly 8/8, 2019 at 6:43

@JasmineHegman, Thank you for the update! I agree on that Vagrant config is much convenient and much safer than ENV var or the .cfg. – Continuous 23/10, 2019 at 16:9

I had a similar challenge when working with Ansible 2.9.6 on Ubuntu 20.04.

When I run the command:

ansible all -m ping -i inventory.txt

I get the error:

target | FAILED! => { "msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host." }

Here's how I fixed it:

When you install ansible, it creates a file called ansible.cfg, this can be found in the /etc/ansible directory. Simply open the file:

sudo nano /etc/ansible/ansible.cfg

Uncomment this line to disable SSH key host checking

host_key_checking = False

Now save the file and you should be fine now.

Note: You could also try to add the host's fingerprint to your known_hosts file by SSHing into the server from your machine, this prompts you to save the host's fingerprint to your known_hosts file:

promisepreston@ubuntu:~$ ssh [email protected]

The authenticity of host '192.168.43.240 (192.168.43.240)' can't be established.
ECDSA key fingerprint is SHA256:9Zib8lwSOHjA9khFkeEPk9MjOE67YN7qPC4mm/nuZNU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.43.240' (ECDSA) to the list of known hosts.

[email protected]'s password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-53-generic x86_64)

That's all.

I hope this helps

Revulsive answered 22/11, 2020 at 16:58 Comment(0)

Adding ansible_ssh_common_args='-o StrictHostKeyChecking=no' to either your inventory

like:

[all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'

[all:children]
servers

[servers]
host1

OR:

[servers]
host1 ansible_ssh_common_args='-o StrictHostKeyChecking=no'

Pomfrey answered 23/12, 2022 at 10:33 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Brawny 24/12, 2022 at 10:56

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags