AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible SSH Password Authentication: sshpass & Connection Setup (Guide)

By Luca Berton · Published 2024-01-01 · Category: installation

Complete guide to Ansible SSH password authentication. Install sshpass, configure ansible_password, use Ansible Vault for secure credentials, and troubleshoot.

By default, Ansible uses SSH key-based authentication. But in many environments — new server provisioning, legacy systems, lab environments — you need password-based SSH login. This guide covers every method to configure Ansible for SSH password authentication.

Prerequisites: Install sshpass

Ansible requires the sshpass program for password-based SSH connections. Without it, you'll see:

FAILED! => {"msg": "to use the 'ssh' connection type with passwords or pkcs11_provider, you must install the sshpass program"}

Install sshpass by OS

# Debian/Ubuntu
sudo apt install sshpass

# RHEL/CentOS/Fedora/AlmaLinux
sudo dnf install sshpass


# macOS (Homebrew)
brew install sshpass
# If not found in default tap:
brew install esolitos/ipa/sshpass


# SUSE/openSUSE
sudo zypper install sshpass


# Arch Linux
sudo pacman -S sshpass

Verify Installation

which sshpass
sshpass -V

See also: Ansible SSH Username & Password: Set Default Credentials (Guide)

Method 1: Command Line (--ask-pass)

The simplest method — Ansible prompts for the SSH password:

ansible all -m ping --ask-pass
# or
ansible-playbook site.yml --ask-pass
# Short form:
ansible-playbook site.yml -k

For sudo/become password:

ansible-playbook site.yml --ask-pass --ask-become-pass
# Short forms:
ansible-playbook site.yml -k -K

Method 2: Inventory Variables (ansible_password)

Set the password in your inventory:

INI Format

[webservers]
web1 ansible_host=192.168.1.10 ansible_user=admin ansible_password=MyPassword123
web2 ansible_host=192.168.1.11 ansible_user=admin ansible_password=MyPassword123

[webservers:vars]
ansible_connection=ssh

YAML Format

all:
  children:
    webservers:
      hosts:
        web1:
          ansible_host: 192.168.1.10
          ansible_user: admin
          ansible_password: MyPassword123
        web2:
          ansible_host: 192.168.1.11
          ansible_user: admin
          ansible_password: MyPassword123

> ⚠️ Security Warning: Never store plain-text passwords in inventory files committed to version control. Use Ansible Vault (Method 3) instead.

See also: Ansible Troubleshooting: SSH Connection Issues - Complete Fix Guide (2026)

The secure way to manage SSH passwords:

Create an Encrypted Variables File

ansible-vault create group_vars/webservers/vault.yml

Add the encrypted password:

# group_vars/webservers/vault.yml (encrypted)
vault_ansible_password: "MySecurePassword123"

Reference it in your group vars:

# group_vars/webservers/vars.yml (not encrypted)
ansible_user: admin
ansible_password: "{{ vault_ansible_password }}"

Run with Vault

# Prompt for vault password
ansible-playbook site.yml --ask-vault-pass

# Use a vault password file
ansible-playbook site.yml --vault-password-file ~/.vault_pass


# Environment variable
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass
ansible-playbook site.yml

Encrypt an Existing File

ansible-vault encrypt inventory/group_vars/all/vault.yml

Encrypt a Single String

ansible-vault encrypt_string 'MyPassword123' --name 'ansible_password'

Use the output directly in your vars file:

ansible_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  6233613031383...

Method 4: ansible.cfg Configuration

Set defaults in ansible.cfg:

[defaults]
# Always prompt for SSH password
ask_pass = true

# Set default remote user
remote_user = admin


# Set connection timeout
timeout = 30


[privilege_escalation]
# Always prompt for become password
become_ask_pass = true

See also: How to install Ansible in Kali Linux — Ansible install

Method 5: Environment Variables

# Set SSH password via environment (less common)
export ANSIBLE_ASK_PASS=true

# Or set a default password file for vault
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass

Disable Host Key Checking

When using password auth with new hosts, you'll often hit host key verification failures:

# ansible.cfg
[defaults]
host_key_checking = false

Or per-command:

ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook site.yml -k

Or in inventory:

[all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'

> ⚠️ Security Note: Only disable host key checking in trusted environments (labs, initial provisioning). In production, distribute SSH keys and use known_hosts.

Become (sudo) Password

When you need both SSH login and sudo elevation:

# inventory or group_vars
ansible_user: admin
ansible_password: "{{ vault_ssh_password }}"
ansible_become: true
ansible_become_password: "{{ vault_become_password }}"

If SSH and sudo passwords are the same:

ansible_become_password: "{{ ansible_password }}"

Complete Playbook Example

---
- name: Configure new servers with password auth
  hosts: new_servers
  gather_facts: true
  become: true
  vars_files:
    - vault.yml

tasks:
    - name: Ensure SSH key is deployed
      ansible.builtin.authorized_key:
        user: "{{ ansible_user }}"
        key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"
        state: present


- name: Disable password authentication (after key is deployed)
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PasswordAuthentication'
        line: 'PasswordAuthentication no'
        backup: yes
      notify: restart sshd


handlers:
    - name: restart sshd
      ansible.builtin.service:
        name: sshd
        state: restarted

Troubleshooting

"you must install the sshpass program"

Install sshpass for your OS (see Prerequisites above).

"Permission denied (publickey,password)"

The remote server may have password auth disabled:

# Check SSH server config on remote host
grep PasswordAuthentication /etc/ssh/sshd_config

Ensure it's set to yes:

PasswordAuthentication yes

"Host key verification failed"

Add the host key or disable checking:

ssh-keyscan -H 192.168.1.10 >> ~/.ssh/known_hosts
# or
ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook site.yml -k

"Authentication failed"

• Verify the password is correct: ssh admin@192.168.1.10 • Check the user exists on the remote host • Ensure PAM/LDAP authentication is working • Check /var/log/auth.log or /var/log/secure on the remote host

"Timeout waiting for SSH"

# ansible.cfg — increase timeout
[defaults]
timeout = 60

Best Practices

Use SSH keys in production — Password auth should be temporary (provisioning only) Always use Ansible Vault — Never store plain-text passwords anywhere Deploy keys early — First task should add SSH keys, then disable password auth Rotate credentials — Change passwords regularly and re-encrypt vault files Use --ask-pass for one-off tasks — Don't persist passwords when not needed Limit password scope — Use host/group vars to limit which hosts use passwords

FAQ

How do I use SSH passwords with Ansible?

Install sshpass on the Ansible controller, then either use --ask-pass (-k) flag when running playbooks, or set ansible_password in your inventory/group_vars (encrypted with Ansible Vault for security).

What is sshpass and why does Ansible need it?

sshpass is a tool that provides non-interactive SSH password authentication. Ansible's SSH connection plugin uses it to feed passwords to the SSH client automatically. Without it, Ansible cannot use password-based SSH connections.

Is it safe to use SSH passwords with Ansible?

Password authentication is less secure than SSH keys. If you must use passwords, always encrypt them with Ansible Vault, limit their use to initial provisioning, and switch to key-based auth as soon as possible.

How do I provide both SSH and sudo passwords?

Use --ask-pass (-k) for SSH and --ask-become-pass (-K) for sudo: ansible-playbook site.yml -k -K. Or set both ansible_password and ansible_become_password in vault-encrypted variables.

Can I use different passwords for different hosts?

Yes, set ansible_password as a host variable in your inventory. Each host can have a unique password, ideally stored in vault-encrypted host_vars files.

Conclusion

Ansible SSH password authentication requires: sshpass installed on the controller ansible_password set via inventory, vault, or --ask-pass Ansible Vault for secure credential storage

For production environments, use password auth only during initial provisioning to deploy SSH keys, then disable password authentication on the remote hosts.

Related Articles

Ansible Vault: Encrypt Secrets and VariablesIgnore SSH Host Key Checking: Ansible ConfigurationAnsible Troubleshooting: Missing Sudo PasswordAnsible become: Privilege Escalation Complete GuideConfigure a Windows Host for Ansible (WinRM)

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home