157

I would like to use ansible-playbook command instead of 'vagrant provision'. However setting host_key_checking=false in the hosts file does not seem to work. 

# hosts file
vagrant ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key 
ansible_ssh_user=vagrant ansible_ssh_port=2222 ansible_ssh_host=127.0.0.1 
host_key_checking=false

Is there a configuration variable outside of Vagrantfile that can override this value?

chicks
  • 2,393
  • 3
  • 24
  • 40
mbdev
  • 6,343
  • 14
  • 46
  • 63

6 Answers6

259

Due to the fact that I answered this in 2014, I have updated my answer to account for more recent versions of ansible.

Yes, you can do it at the host/inventory level (Which became possible on newer ansible versions) or global level:

inventory:

Add the following.

ansible_ssh_common_args='-o StrictHostKeyChecking=no'

host:

Add the following.

ansible_ssh_extra_args='-o StrictHostKeyChecking=no'

hosts/inventory options will work with connection type ssh and not paramiko. Some people may strongly argue that inventory and hosts is more secure because the scope is more limited.

global:

Ansible User Guide - Host Key Checking

  • You can do it either in the /etc/ansible/ansible.cfg or ~/.ansible.cfg file:

    [defaults]
host_key_checking = False

  • Or you can setup and env variable (this might not work on newer ansible versions):

    export ANSIBLE_HOST_KEY_CHECKING=False
Zeitounator
  • 38,476
  • 7
  • 53
  • 66
Rico
  • 58,485
  • 12
  • 111
  • 141
  • 33
    I'm using ansible 1.7.2 and my experience has been that the environment variable `ANSIBLE_HOST_KEY_CHECKING` works but `-e 'host_key_checking=False'` does not work. – Marc Abramowitz Nov 22 '14 at 17:43
  • 7
    Your first statement "Yes, but not at the hosts/inventory level" is false. You can use `ansible_ssh_common_args='-o StrictHostKeyChecking=no'` or `ansible_ssh_extra_args='-o StrictHostKeyChecking=no'` – Shammel Lee Sep 10 '16 at 10:36
  • 2
    Only the last option worked for me (export ANSIBLE_HOST_KEY_CHECKING=False) before running my playbook. – ted-k42 May 31 '17 at 06:56
  • 1
    *"Yes, but not at the hosts/inventory level."* -- Is shown to be false, proven by [my answer](https://stackoverflow.com/a/35564773/1254292). I'd even say this is not really an answer to the question on how to set it on *inventory* level. – gertvdijk Aug 02 '17 at 10:06
  • @gertvdijk I answered this in 2014. Ansible has gone through a bunch of revisions. That's not the case anymore ? – Rico Aug 02 '17 at 16:11
  • For a oneliner I passed the environment variable in with the command `ANSIBLE_HOST_KEY_CHECKING=false ansible all -m ping` it's a shame `ansible -e ansible_host_key_checking=false all -m ping` does not seem to work – mbigras Jul 09 '18 at 03:02
  • or via ```--ssh-common-args``` command-line option should you wish to rapidly change and debug – Peter Kahn Mar 16 '20 at 15:39
  • I used ```ansible_ssh_extra_args='-o StrictHostKeyChecking=no'``` in inventory vars and it worked. Thanks – Krishnom Mar 06 '22 at 17:14
  • How do you do it for paramiko or libssh? – stackprotector Dec 12 '22 at 15:01
83

Yes, you can set this on the inventory/host level.

With an already accepted answer present, I think this is a better answer to the question on how to handle this on the inventory level. I consider this more secure by isolating this insecure setting to the hosts required for this (e.g. test systems, local development machines).

What you can do at the inventory level is add

ansible_ssh_common_args='-o StrictHostKeyChecking=no'

or

ansible_ssh_extra_args='-o StrictHostKeyChecking=no'

to your host definition (see Ansible Behavioral Inventory Parameters).

This will work provided you use the ssh connection type, not paramiko or something else).

For example, a Vagrant host definition would look like…

vagrant ansible_port=2222 ansible_host=127.0.0.1 ansible_ssh_common_args='-o StrictHostKeyChecking=no'

or

vagrant ansible_port=2222 ansible_host=127.0.0.1 ansible_ssh_extra_args='-o StrictHostKeyChecking=no'

Running Ansible will then be successful without changing any environment variable.

$ ansible vagrant -i <path/to/hosts/file> -m ping
vagrant | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

In case you want to do this for a group of hosts, here's a suggestion to make it a supplemental group var for an existing group like this:

[mytestsystems]
test[01:99].example.tld

[insecuressh:children]
mytestsystems

[insecuressh:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
Community
  • 1
  • 1
gertvdijk
  • 24,056
  • 6
  • 41
  • 67
  • 4
    This is a much better answer. – marcv81 Apr 06 '16 at 04:10
  • This suggestion worked for me, and I agree that this is something that should be set at a project level (rather than the global level) because of security concerns. – andrewdcato May 05 '17 at 15:26
  • 1
    I included `ansible_ssh_common_args: '-o StrictHostKeyChecking=no'` in the group_vars file yml file. – g . Sep 18 '17 at 09:53
  • I had a problem when using the server private ip addresses, but then I used the group of hosts configuration, and it worked! You just saved my day, thank you! – Budianto IP Aug 12 '23 at 01:19
5

I could not use: 

ansible_ssh_common_args='-o StrictHostKeyChecking=no'

in inventory file. It seems ansible does not consider this option in my case (ansible 2.0.1.0 from pip in ubuntu 14.04)

I decided to use:

server ansible_host=192.168.1.1 ansible_ssh_common_args= '-o UserKnownHostsFile=/dev/null'

It helped me.

Also you could set this variable in group instead for each host:

[servers_group:vars]
ansible_ssh_common_args='-o UserKnownHostsFile=/dev/null'
vskubriev
  • 826
  • 1
  • 11
  • 21
  • Setting the `UserKnownHostsFile` / `GlobalKnownHostsFile` option to `/dev/null` also works indeed. It's strange that setting `StrictHostKeyChecking` does not work for you. Most likely is some option in your SSH configuration the cause. – gertvdijk Jun 21 '16 at 08:16
  • 1
    +1 for `-o UserKnownHostsFile=/dev/null`. Without it also just didn't work for me, irrespective of the the location and way I specified `ansible_ssh_common_args` outlined in the other answers. – Till Kuhn Feb 11 '20 at 14:20
0

In /etc/ansible/ansible.cfg uncomment the line:

host_key_check = False

and in /etc/ansible/hosts uncomment the line

client_ansible ansible_ssh_host=10.1.1.1 ansible_ssh_user=root ansible_ssh_pass=12345678

That's all

CDspace
  • 2,639
  • 18
  • 30
  • 36
user8759294
  • 17
  • 1
0

Adding following to ansible config worked while using ansible ad-hoc commands:

[ssh_connection]
# ssh arguments to use
ssh_args = -o StrictHostKeyChecking=no

Ansible Version

ansible 2.1.6.0
config file = /etc/ansible/ansible.cfg
dina
  • 937
  • 1
  • 12
  • 29
0

You set these configs either in the /etc/ansible/ansible.cfg or ~/.ansible.cfg or ansible.cfg(in your current directory) file

[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

tested with ansible 2.9.6 in ubuntu 20.04

Alupotha
  • 9,710
  • 4
  • 47
  • 48