AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible known_hosts Module: Manage SSH Host Keys (Complete Guide)

By Luca Berton · Published 2024-01-01 · Category: troubleshooting

How to use Ansible known_hosts module to manage SSH host keys. Add, remove, and verify host keys for secure SSH connections. Complete guide with examples.

Ansible known_hosts Module: Manage SSH Host Keys (Complete Guide)

The ansible.builtin.known_hosts module manage SSH known_hosts entries. This guide covers all common use cases with practical playbook examples.

See also: Ansible Disable SSH Host Key Checking: Configuration Guide

Add a Host Key

- name: Add host key to known_hosts
  ansible.builtin.known_hosts:
    name: github.com
    key: "{{ lookup('ansible.builtin.pipe', 'ssh-keyscan -t ed25519 github.com') }}"
    state: present

Add Multiple Hosts

- name: Scan and add host keys
  ansible.builtin.known_hosts:
    name: "{{ item }}"
    key: "{{ lookup('ansible.builtin.pipe', 'ssh-keyscan -t ed25519 ' + item) }}"
    state: present
  loop:
    - github.com
    - gitlab.com
    - bitbucket.org

See also: Ansible Development: Write Custom Modules, Plugins & Collections

Remove a Host Key

- name: Remove old host key
  ansible.builtin.known_hosts:
    name: old-server.example.com
    state: absent

FAQ

How do I manage SSH known_hosts in Ansible?

Use ansible.builtin.known_hosts with the hostname and key. Get the key with ssh-keyscan via a lookup plugin. Set state: present to add or absent to remove.

Why should I manage known_hosts with Ansible?

Pre-populating known_hosts prevents interactive prompts during automation and reduces the risk of man-in-the-middle attacks by verifying host keys before first connection.

See also: Ansible SSH Password Authentication: sshpass & Connection Setup (Guide)

Conclusion

The ansible.builtin.known_hosts module is a versatile tool for manage SSH known_hosts entries. Use the examples above as starting points and adapt them to your infrastructure needs.

Related Articles

Ansible Vault: Encrypt SecretsAnsible Variables Guide

Module Parameters Reference

| Parameter | Required | Default | Description | |---|---|---|---| | name | Yes | — | Hostname or IP address of the host | | key | No | — | The SSH public host key (required for state: present) | | path | No | ~/.ssh/known_hosts | Path to the known_hosts file | | state | No | present | present to add, absent to remove | | hash_host | No | false | Hash the hostname in the known_hosts file |

Add a Host Key

- name: Add host key from ssh-keyscan
  ansible.builtin.known_hosts:
    name: server1.example.com
    key: "{{ lookup('pipe', 'ssh-keyscan -t ed25519 server1.example.com 2>/dev/null') }}"
    state: present

Scan and Add Multiple Hosts

- name: Scan SSH host keys
  ansible.builtin.command: ssh-keyscan -t ed25519 {{ item }}
  loop:
    - server1.example.com
    - server2.example.com
    - server3.example.com
  register: ssh_keys
  changed_when: false

- name: Add scanned host keys
  ansible.builtin.known_hosts:
    name: "{{ item.item }}"
    key: "{{ item.stdout }}"
    state: present
  loop: "{{ ssh_keys.results }}"
  when: item.stdout | length > 0

Remove a Host Key

- name: Remove old host key
  ansible.builtin.known_hosts:
    name: decommissioned-server.example.com
    state: absent

Hash Host Entries for Security

- name: Add host key with hashed hostname
  ansible.builtin.known_hosts:
    name: secure-server.example.com
    key: "{{ lookup('pipe', 'ssh-keyscan -t ed25519 secure-server.example.com 2>/dev/null') }}"
    hash_host: true
    state: present

Complete Playbook: Bootstrap SSH Trust

---
- name: Bootstrap SSH known_hosts for all managed hosts
  hosts: localhost
  gather_facts: false

tasks:
    - name: Scan SSH keys from all inventory hosts
      ansible.builtin.command: ssh-keyscan -t ed25519,rsa {{ item }}
      loop: "{{ groups['all'] }}"
      register: host_keys
      changed_when: false
      failed_when: false


- name: Add all host keys to known_hosts
      ansible.builtin.known_hosts:
        name: "{{ item.item }}"
        key: "{{ item.stdout }}"
        state: present
        path: ~/.ssh/known_hosts
      loop: "{{ host_keys.results }}"
      when: item.stdout | length > 0


- name: Report hosts with no keys found
      ansible.builtin.debug:
        msg: "WARNING: No SSH key found for {{ item.item }}"
      loop: "{{ host_keys.results }}"
      when: item.stdout | length == 0

What key types should I scan?

Prefer ed25519 for modern systems. Fall back to rsa for older hosts. Avoid dsa (deprecated) and ecdsa (less preferred).

How do I handle host key changes?

Remove the old key with state: absent, then add the new one with state: present. Or use ssh-keygen -R hostname in a shell task.

Should I hash hostnames in known_hosts?

Hashing (hash_host: true) prevents attackers from reading your known_hosts to discover your infrastructure. Recommended for production environments.

Category: troubleshooting

Browse all Ansible tutorials · AnsiblePilot Home