Keywords: Ansible | SSH | Vagrant
Abstract: This article provides an in-depth analysis of the common Ansible error "ERROR! Using a SSH password instead of a key is not possible," which arises from incompatibility between SSH host key checking and the sshpass tool. Using a Vagrant environment as an example, it explains the root causes in detail and offers multiple solutions, including configuring ansible.cfg files, setting environment variables, and installing necessary dependencies. Through step-by-step guidance, readers will understand Ansible's SSH connection mechanisms and effectively resolve provisioning issues to ensure smooth automation workflows.
Problem Background and Error Analysis
When using Ansible for automation provisioning, particularly in Vagrant virtualized environments, users often encounter a specific error: ERROR! Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host.. This error typically occurs when attempting to connect via SSH password instead of a key, while Ansible's default settings enable Host Key Checking, which conflicts with the functionality of the sshpass tool.
Root Cause Explanation
Ansible relies on the SSH protocol to manage remote hosts, with connection methods primarily including key-based and password-based authentication. By default, Ansible enables Host Key Checking, a security mechanism that verifies remote host identities to prevent man-in-the-middle attacks. However, when using password authentication, Ansible invokes the sshpass tool to automate password entry, but sshpass does not support Host Key Checking, leading to connection failures. In the provided example, the Vagrantfile configures an ansible_local provisioner, and the hosts file specifies ansible_ssh_pass=vagrant, triggering the password authentication flow and thus causing the error.
Solution 1: Configure ansible.cfg File
According to the best answer (Answer 1, score 10.0), the most effective solution is to create an ansible.cfg configuration file and disable Host Key Checking. The steps are as follows:
- In the Ansible project directory (e.g., the same path as the playbook), create a file named
ansible.cfg. - Add the following content to the file:
[defaults] host_key_checking = false - Ensure the file is located where Ansible can read it during execution, such as within the directory specified by
provisioning_pathin a Vagrant environment.
This configuration directly modifies Ansible's default behavior, skipping Host Key Checking and allowing sshpass to work with password authentication. Note that disabling Host Key Checking may reduce security, so it is recommended only in trusted development or testing environments.
Solution 2: Set Environment Variables
As supplementary references (Answer 2, score 6.6; Answer 3, score 2.9), another approach is to temporarily disable Host Key Checking by setting environment variables. This can be executed before running Ansible commands:
export ANSIBLE_HOST_KEY_CHECKING=FalseAlternatively, add environment variables via provisioner configuration in the Vagrantfile. This method offers flexibility but may be less persistent than configuration files, suitable for quick testing scenarios. Note that support for environment variables may vary across Ansible versions, as mentioned in Answer 2 where the configuration file method did not work in Ansible 2.6.2, but environment variables still functioned.
Dependency Check and Installation
The error message references sshpass, indicating that Ansible attempts to use this tool for password authentication. If sshpass is not installed on the target system, other errors may arise, such as "ERROR! to use the 'ssh' connection type with passwords, you must install the sshpass program." Therefore, before applying the above solutions, it is advisable to check and ensure sshpass is installed. In Ubuntu-based Vagrant boxes, it can be installed with:
sudo apt-get update
sudo apt-get install sshpassThis step is mentioned in the supplementary note of Answer 1, emphasizing the importance of environment preparation.
Code Examples and Configuration Optimization
To clearly demonstrate the solutions, here is an integrated Vagrantfile snippet combining Ansible configuration and environment setup:
Vagrant.configure("2") do |config|
(1..3).each do |index|
config.vm.define "node#{index}" do |node|
node.vm.box = "ubuntu"
node.vm.network :private_network, ip: "192.168.10.#{10 + index}"
if index == 3
node.vm.provision :shell, inline: "sudo apt-get install -y sshpass", run: "always"
node.vm.provision :setup, type: :ansible_local do |ansible|
ansible.playbook = "playbook.yml"
ansible.provisioning_path = "/vagrant/ansible"
ansible.inventory_path = "/vagrant/ansible/hosts"
ansible.limit = :all
ansible.install_mode = :pip
ansible.version = "2.0"
ansible.extra_vars = { ansible_host_key_checking: false }
end
end
end
end
endIn this example, we added a shell provisioner to install sshpass and passed Ansible variables via extra_vars to disable Host Key Checking. Meanwhile, the hosts file can be simplified to:
[webservers]
192.168.10.11
192.168.10.12
[all:vars]
ansible_connection=ssh
ansible_ssh_user=vagrant
ansible_ssh_pass=vagrantThis way, combined with configuration files or environment variables, Ansible can run smoothly.
Conclusion and Best Practices
The core of resolving the "SSH password vs. Host Key Checking conflict" error lies in understanding Ansible's security mechanisms and tool limitations. Recommended practices include: in development environments, use an ansible.cfg configuration file to disable Host Key Checking and ensure sshpass is installed; in production environments, prioritize SSH key authentication for enhanced security. Through this step-by-step analysis, readers can gain deeper insights into Ansible configuration techniques, avoid common pitfalls, and improve automation efficiency.