AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Troubleshooting: SSH Connection Issues - Complete Fix Guide (2026)

By Luca Berton · Published 2024-01-01 · Category: installation

Learn how to resolve SSH authentication errors in Ansible due to unestablished host authenticity for seamless playbook execution.

Ansible Troubleshooting: SSH Connection Issues - Complete Fix Guide (2026)

Error Overview

When running an Ansible playbook, you may encounter the following error message:

TASK [run show version on remote devices] *****************************************
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
fatal: [10.96.192.10]: FAILED! => {"changed": false, "msg": "paramiko: The authenticity of host '10.96.192.10' can't be established.\nThe ssh-ed25519 key fingerprint is b'REDUCTED'."}

This error indicates a failure in SSH connection due to the inability to establish the authenticity of the host. Below, we provide a detailed explanation of the issue and steps to resolve it.

See also: Ansible troubleshooting - Error sanity

Error Explanation

Warning: ansible-pylibssh not installed, falling back to paramiko • This warning means Ansible is using paramiko for SSH connections because pylibssh is not installed. While paramiko is functional, pylibssh is generally more efficient and secure. Fatal Error: The authenticity of host '10.96.192.10' can't be established. • This error occurs when the SSH client cannot verify the host's identity because the host key is not in the known hosts file.

Solutions

Install pylibssh

Installing pylibssh can improve SSH connection efficiency and security:

pip install ansible-pylibssh

Automatically Accept Host Keys

You can configure Ansible to automatically accept host keys by setting the ansible_ssh_common_args variable in your playbook or inventory to disable host key checking. Note that this method can expose you to security risks, such as man-in-the-middle attacks.

Add the following configuration to your ansible.cfg file:

[defaults]
host_key_checking = False

Alternatively, set the ANSIBLE_HOST_KEY_CHECKING environment variable to False:

export ANSIBLE_HOST_KEY_CHECKING=False

Manually Add the Host Key

A more secure approach is to manually add the host key to the known hosts file. This can be done by SSHing into the host manually:

ssh user@10.96.192.10

When prompted, accept the host key. This will add it to your ~/.ssh/known_hosts file.

Using Ansible's Known Hosts Module

Ansible provides a known_hosts module to manage known hosts. You can use this module to ensure the host key is added before making other connections. Here's an example playbook snippet:

- name: Add host to known hosts
  hosts: localhost
  tasks:
    - name: Ensure the remote host is in known_hosts
      known_hosts:
        name: 10.96.192.10
        key: "ssh-ed25519 AAAA..."
        path: /root/.ssh/known_hosts

Replace "ssh-ed25519 AAAA..." with the actual host key.

See also: Ansible troubleshooting - Error 102: No Jinja2 in 'when' Conditions

Example Playbook with Host Key Checking Disabled

Here's an example of how to disable host key checking in your playbook:

- name: Run show version on remote devices
  hosts: all
  vars:
    ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
  tasks:
    - name: show version
      command: show version

Other Common Ansible SSH Errors

The host-authenticity prompt above is only one of several SSH failures you will meet in practice. Here are the other common ones and how to fix them.

Permission denied (publickey,password)

fatal: [web01]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: deploy@web01: Permission denied (publickey,password).", "unreachable": true}

SSH reached the host but authentication failed. The usual causes: • Wrong user — set the account that actually exists on the target with ansible_user (in the inventory or with -u). • Wrong or missing key — point Ansible at the correct private key with ansible_ssh_private_key_file or --private-key. • Password auth required — add --ask-pass (needs sshpass installed) when the host expects a password instead of a key.

Connection timed out (UNREACHABLE)

fatal: [web01]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: connect to host web01 port 22: Connection timed out", "unreachable": true}

The host never answered on the SSH port. Check that the host is up, that the IP/hostname is correct, that the port is right (ansible_port, default 22), and that a firewall or cloud security group allows SSH from your control node.

Host key verification failed

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Host key verification failed.

The host key changed — usually because the host was reinstalled or reprovisioned — and no longer matches the entry in ~/.ssh/known_hosts. Remove the stale entry and reconnect to accept the new key:

ssh-keygen -R web01

Too many authentication failures

Received disconnect from 10.0.0.5 port 22:2: Too many authentication failures

Your SSH agent offered too many keys before reaching the correct one and the server closed the connection. Force SSH to use only the key you specify:

[ssh_connection]
ssh_args = -o IdentitiesOnly=yes

See also: Ansible troubleshooting - Error 104: Deprecated Bare Vars

Set the Right Connection Details

Many SSH failures are simply wrong connection parameters. Define them explicitly per host or group in your inventory so every play connects the same way:

[web]
web01 ansible_host=10.0.0.5 ansible_user=deploy ansible_port=2222 ansible_ssh_private_key_file=~/.ssh/deploy_ed25519

Test connectivity in isolation before running a full playbook:

ansible web01 -m ansible.builtin.ping -vvv

The -vvv flag prints the exact ssh command Ansible runs, which makes it easy to spot a wrong user, port, or key.

Conclusion

Choose the solution that best fits your security requirements. Disabling host key checking is quick and easy but less secure. Adding the host key manually or using the known_hosts module is more secure but requires additional setup. Balancing security and convenience is crucial when configuring SSH connections in Ansible.

Ansible Inventory GuideAnsible environment variables guide

See also

Paramiko Deprecated for network_cli: Migrate to libssh (ansible-pylibssh)

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home