Bypassing Ansible SSH Host Key Checking: Methods and Security Practices

Overview of SSH Host Key Checking Mechanism

Ansible performs SSH host key verification by default during remote operations, which is a critical security feature of the SSH protocol. When connecting to a new host for the first time, the system prompts for confirmation of the host key fingerprint: The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established. RSA key fingerprint is xx:yy:zz:.... Are you sure you want to continue connecting (yes/no)? This interactive prompt causes execution interruptions in automated scripts, particularly in scenarios involving automatic creation and configuration of cloud servers.

Methods to Disable Host Key Checking

Environment Variable Configuration

Temporarily disable key checking by setting the ANSIBLE_HOST_KEY_CHECKING environment variable: export ANSIBLE_HOST_KEY_CHECKING=False. This method is only effective for the current session and becomes invalid after the session ends. For permanent effect, add this setting to the user's ~/.bashrc file and execute source ~/.bashrc to make the setting effective immediately.

Configuration File Approach

Setting in Ansible configuration files is the recommended approach. Add the following to system-level (/etc/ansible/ansible.cfg), user-level (~/.ansible.cfg), or project-level ( ansible.cfg in the same directory as the playbook) configuration files:

[defaults]
host_key_checking = False

Project-level configuration is particularly suitable for customizing different security policies for specific environments (such as temporary test instances) while maintaining strict global settings.

Direct SSH Parameter Specification

SSH options can be directly passed through the ansible_ssh_common_args variable. Set for specific hosts or groups in the inventory file:

[myhosts]
host1 ansible_ssh_common_args='-o StrictHostKeyChecking=no'
host2 ansible_ssh_common_args='-o StrictHostKeyChecking=no'

Or define as variables in the playbook:

vars:
  ansible_ssh_common_args: '-o StrictHostKeyChecking=no'

Security Considerations and Best Practices

Security Strategies for Different Environments

SSH host key verification provides significant security value for persistent hosts, preventing man-in-the-middle attacks. For dynamically created and destroyed temporary instances (such as Vagrant VMs for unit testing, short-lived EC2 instances), disabling key checking is reasonable since the connected host may differ each time.

Recommended security strategy:

• Keep host key checking enabled in global configuration (~/.ansible.cfg)
• Create separate ansible.cfg files in playbook directories for temporary instances to disable key checking
• Always enforce strict key verification for persistent hosts

Secure Alternative Approaches

For long-running EC2 instances, dynamically adding trusted host keys using ssh-keyscan is recommended:

- name: Write the new ec2 instance host key to known hosts
  connection: local
  shell: "ssh-keyscan -H {{ inventory_hostname }} >> ~/.ssh/known_hosts"

This method executes only once during instance creation, avoiding manual intervention while maintaining SSH connection security.

Command Line Integration

When directly executing ansible-playbook commands, SSH options can be passed through the --ssh-extra-args parameter:

ansible-playbook -i '52.8.13.17,' test-copy-files.yml --ssh-extra-args='-o StrictHostKeyChecking=no'

This approach is suitable for temporary testing and debugging scenarios.

Conclusion

Multiple technical implementation paths exist for bypassing Ansible's SSH host key checking, with the choice depending on specific usage scenarios and security requirements. In automated deployment pipelines, proper configuration of key checking strategies ensures both deployment efficiency and system security. The key is to develop differentiated security strategies based on host lifecycle and environmental characteristics, finding the balance between convenience and security.