Can I bypass host key checking in Ansible?

Question

I'm running an Ansible playbook with a subtle hack to work on an arbitrary port forwarded port (so I can use one machine with no direct access to lots of machines).

I've got a pre-task to change the ansible_port variable, so then when I start running my real tasks and roles, I get prompted to accept the hostkeys for localhost on some random port.

Because I am naive and don't care about security, I would like ssh to auto-accept and redirect to /dev/null (or another file for logging).

Is this possible?

Answer 1

This is typically done by setting the following value in ansible.cfg:

[defaults]
host_key_checking = False

If you don't want to modify ansible.cfg you can set an environment variable like so:

export ANSIBLE_HOST_KEY_CHECKING=False

Source: http://docs.ansible.com/ansible/intro_getting_started.html#host-key-checking

Answer 2

In your ansible.cfg file you need to add the following line:

ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

You could also add those options in your ~/.ssh/config on every machine from which you run it something like this:

Host *
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

Answer 3

There are boolean variables for this that can be set where they're needed (such as in playbooks) so as not to do this globally, which reduces overall security.

    var: ansible_host_key_checking
    var: ansible_ssh_host_key_checking
    var: ansible_paramiko_host_key_checking

So doing ansible_ssh_host_key_checking: False in a playbook should work.

However, I don't believe they'll work until Ansible 2.12. See Disabling host key checking via variable doesn't seem to work. #49254 for details.

For now, I'd recommend doing this:

ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook ...

...and not setting this in the global Ansible configuration. It's a good idea to be explicit when disabling security features so that you're aware of what you're doing.

Answer 4

Bypassing host key checking in ansible

To bypass host key authenticity in ansible; you can follow any of the method:

(1) Using ansible.cfg file:

In the playbook/project  directory, create a file ansible.cfg and add the following line:
    [defaults]
    host_key_checking = False
Note, that this method will work globally and all the hosts that are present in inventory/hosts file will suffer the effect unless mentioned in the hosts file.

(2) Exporting environment variable from your machine : (Temporary method)

    export ANSIBLE_HOST_KEY_CHECKING=False  
This is the temporary method and will only work as long the session is connected (SSH-session). Once, you break the session, the environment variable will be removed.

(3) Exporting environment variable from your machine: (Permanent method)

To set the variable “ANSIBLE_HOST_KEY_CHECKING=False ” permanently, edit the ~/.bashrc file of the user running the ansible commands. Add the below line at the end of the file and save and exit. export ANSIBLE_HOST_KEY_CHECKING=False Then, source the file so that changes take effect for the current ssh session accordingly by using the command below: source ~/.bashrc

(3) Using ansible ssh commom arguments Variable:

(a) You can specify SSH options directly in your inventory file for specific hosts or groups:
    [myhosts]
    host1 ansible_ssh_common_args='-o StrictHostKeyChecking=no'
    host2 ansible_ssh_common_args='-o StrictHostKeyChecking=no'
(b) You can also define the the above arguments in playbooks:
For example:
-name: Playbook for copying files from local machine to remote server
      hosts: all
              vars:
              ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
      roles:
       - copy_files

(4) By simply using cli interface and running the ansible command:

For example:
    ansible-playbook -i '52.8.13.17,' -e 'host=52.8.13.17' test-copy-files.yml --private-key /home/ansible-user/.ssh/ansible-user.key --ssh-extra-args='-p 2222' -e "ansible_ssh_common_args='-o StrictHostKeyChecking=no'" --check