Analysis and Solutions for Ansible SSH Connection Failures

Keywords: Ansible | SSH Connection | Automation Operations

Abstract: This article provides an in-depth analysis of common SSH connection failures in Ansible operations, particularly focusing on the error message "Failed to connect to the host via ssh." By examining Ansible's SSH connection mechanisms, the evolution of inventory configuration parameters, and authentication method selection, it offers comprehensive solutions ranging from basic configuration to advanced debugging. The article combines specific error cases to explain how to properly configure parameters like ansible_user and ansible_password, and introduces best practices for SSH key authentication, helping users quickly diagnose and fix Ansible connection issues.

Problem Background and Error Symptoms

When using Ansible for automation operations, SSH connection failures are among the most common obstacles. Users typically encounter error messages similar to:

fatal: [192.168.0.10]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true}

This error indicates that Ansible cannot establish an SSH connection with the target host, even though manual SSH login might work perfectly. The root cause often lies in differences between Ansible's SSH connection configuration and the parameters used for manual SSH.

Analysis of Ansible SSH Connection Mechanism

When Ansible executes remote commands via SSH, it constructs specific SSH commands. From verbose logs, we can see the actual execution command:

ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=user -o ConnectTimeout=10 192.168.0.10

Key parameter analysis:

-o PasswordAuthentication=no: Password authentication disabled by default
-o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey: Prefers key-based authentication
-o User=user: Specifies SSH user

These default settings explain why Ansible might fail even when manual SSH works—it uses different authentication strategies.

Evolution of Inventory Configuration Parameters

Ansible's inventory configuration parameters have undergone significant evolution, which is the root cause of many connection issues. Earlier versions used:

ansible_ssh_user=user
ansible_ssh_pass='password'

But since Ansible 2.0, new parameter names are recommended:

ansible_user=user
ansible_password='password'

This change causes many old configurations to fail in newer versions. Correct configuration example:

192.168.0.10 ansible_user=user ansible_password='passphrase'
192.168.0.11 ansible_user=user ansible_password='passphrase'
192.168.0.12 ansible_user=user ansible_password='passphrase'

Solution Implementation

To resolve SSH connection failures, follow these steps:

1. Update Inventory Configuration

First ensure correct parameter names are used. Modify the /etc/ansible/hosts file:

192.168.0.10 ansible_user=user ansible_password='passphrase'
192.168.0.11 ansible_user=user ansible_password='passphrase'
192.168.0.12 ansible_user=user ansible_password='passphrase'

2. Test Connection

Test connection using the ping module:

ansible all -m ping

Successful response should be:

192.168.0.10 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

3. Use SSH Key Authentication (Recommended)

For production environments, SSH key authentication is recommended over passwords:

# Generate SSH key pair
ssh-keygen -t rsa -b 4096

# Copy public key to target host
ssh-copy-id user@192.168.0.10

# Inventory configuration (no password needed)
192.168.0.10 ansible_user=user
192.168.0.11 ansible_user=user
192.168.0.12 ansible_user=user

4. Debugging and Troubleshooting

If issues persist, use these methods for further debugging:

# Increase verbose level
ansible all -m ping -vvv

# Test SSH connection
ssh -v user@192.168.0.10

# Check Ansible configuration
ansible --version
ansible-config dump | grep -i ssh

Advanced Configuration Options

For complex environments, additional SSH parameters may be needed:

# Configure in ansible.cfg
[defaults]
host_key_checking = False
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null

# Or configure in inventory
192.168.0.10 ansible_user=user ansible_ssh_common_args='-o StrictHostKeyChecking=no'

Summary and Best Practices

Ansible SSH connection failures are typically caused by configuration parameter mismatches or authentication issues. Key takeaways include:

Use correct parameter names (ansible_user, ansible_password)
Prefer SSH key authentication over passwords
Understand differences between Ansible's SSH defaults and manual SSH
Utilize verbose output for debugging
Maintain compatibility between Ansible versions and configurations

Through systematic troubleshooting and proper configuration, most Ansible SSH connection issues can be resolved, ensuring smooth automation operations.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.