AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Disable SSH Host Key Checking: Configuration Guide

By Luca Berton · Published 2024-01-01 · Category: installation

How to disable SSH host key checking in Ansible. Configure ansible.cfg, environment variables, and per-host settings for lab and production environments.

Ansible Disable SSH Host Key Checking: Configuration Guide

How to Ignore Ansible SSH Host Key Checking?

I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

See also: 10 Proven Methods to Optimize Ansible Playbook Performance

SSH Host Key

> % ssh devops@demo.example.com > The authenticity of host 'demo.example.com (192.168.0.190)' can't be established. > RSA key fingerprint is SHA256:42JErOjO9fKNNBapEEyhpfTNn+rt8SPNob00uRlmqRs. > This key is not known by any other names > Are you sure you want to continue connecting (yes/no/[fingerprint])?

A host key is a cryptographic key used for authenticating computers in the SSH protocol. Host keys are normally generated automatically when OpenSSH is first installed or when the computer is first booted. In a production environment is considered a security mechanism to verify our machine has not been altered. However, in a developer laboratory often, we need to destroy our machines often and recreate them. This behavior stops the Ansible execution and requires some manual developer work. We can apply this behavior also in a CI/CD pipeline or cloud computing provider.

Links

HOST_KEY_CHECKING

See also: ansible.cfg Configuration File: Complete Settings Guide (2026)

Playbook

How to Ignore Ansible SSH Host Key Checking in our Ansible laboratory. I'm going to show how to create a ansible.cfg file to ignore the SSH Host Key Checking at the beginning of the Ansible Playbooks execution. • ansible.cfg

[defaults]
host_key_checking = False
• ping.yml 
---
- name: ping module Playbook
  hosts: all
  tasks:
    - name: test connection
      ansible.builtin.ping:
• inventory 
demo.example.com

execution


$ ansible-playbook -i inventory ping.yml

PLAY [ping module Playbook] *****************************************************************


TASK [Gathering Facts] ******************************************************************
ok: [demo.example.com]


TASK [test connection] ******************************************************************
ok: [demo.example.com]


PLAY RECAP ******************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

idempotency

$ ansible-playbook -i inventory ping.yml

PLAY [ping module Playbook] *****************************************************************


TASK [Gathering Facts] ******************************************************************
ok: [demo.example.com]


TASK [test connection] ******************************************************************
ok: [demo.example.com]


PLAY RECAP ******************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0

before execution

$ ansible-playbook -i inventory ping.yml

PLAY [ping module Playbook] *****************************************************************


TASK [Gathering Facts] ******************************************************************
The authenticity of host 'demo.example.com (192.168.0.190)' can't be established.
RSA key fingerprint is SHA256:42JErOjO9fKNNBapEEyhpfTNn+rt8SPNob00uRlmqRs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

after execution

$ ansible-playbook -i inventory ping.yml

PLAY [ping module Playbook] *****************************************************************


TASK [Gathering Facts] ******************************************************************
ok: [demo.example.com]


TASK [test connection] ******************************************************************
ok: [demo.example.com]


PLAY RECAP ******************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0

Conclusion

Now you know how to ignore SSH Host Key checking with Ansible. You know how to use it based on your use case.

See also: Maximize Ansible Efficiency with Callback Plugins for Resource Monitoring

Disable Host Key Checking

ansible.cfg (recommended)

[defaults]
host_key_checking = False

Environment variable

export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook site.yml

Command line

ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook site.yml

Per host in inventory

all:
  hosts:
    new-server:
      ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

Pre-Add Host Keys (Secure Alternative)

- name: Add host keys before connecting
  ansible.builtin.known_hosts:
    name: "{{ item }}"
    key: "{{ lookup('pipe', 'ssh-keyscan -t ed25519 ' + item) }}"
    state: present
  loop: "{{ groups['all'] }}"
  delegate_to: localhost

Accept New Keys Only

# Accept new keys but reject changed keys
ansible_ssh_common_args: '-o StrictHostKeyChecking=accept-new'

| Setting | New Host | Changed Key | |---------|----------|-------------| | no | Accept | Accept ⚠️ | | accept-new | Accept | Reject ✓ | | yes | Reject | Reject |

CI/CD Configuration

# GitHub Actions
- name: Run Ansible
  run: ansible-playbook -i inventory site.yml
  env:
    ANSIBLE_HOST_KEY_CHECKING: "false"

# Or in ansible.cfg checked into repo
# [defaults]
# host_key_checking = False

Security Considerations

Disabling host key checking removes protection against man-in-the-middle attacks. Safe in: • Development/testing environments • Ephemeral cloud instances (new keys each provision) • CI/CD pipelines with trusted networks

Not recommended for: • Production with long-lived servers • Connections over untrusted networks

SSH Config Alternative

# ~/.ssh/config
Host 192.168.1.*
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Host production-*
    StrictHostKeyChecking yes

FAQ

Why does Ansible check host keys?

To prevent man-in-the-middle attacks. If a host key changes unexpectedly, it could mean someone is intercepting your connection.

"REMOTE HOST IDENTIFICATION HAS CHANGED" error?

The host key changed (server reinstalled, IP reassigned). Remove the old key:

ssh-keygen -R hostname-or-ip

What's the safest approach for dynamic cloud infrastructure?

Use StrictHostKeyChecking=accept-new — it accepts new hosts but rejects if a known host's key changes.

Disable in ansible.cfg

[defaults]
host_key_checking = false

Environment Variable

export ANSIBLE_HOST_KEY_CHECKING=false
ansible-playbook site.yml

Command Line

ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook site.yml

Per-Host in Inventory

all:
  hosts:
    lab-server:
      ansible_host: 192.168.1.100
      ansible_ssh_extra_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

SSH Args in ansible.cfg

[ssh_connection]
ssh_args = -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Production: Accept Keys Once

# Safer: Accept on first connect, verify after
- name: Add host keys to known_hosts
  ansible.builtin.known_hosts:
    name: "{{ hostvars[item].ansible_host }}"
    key: "{{ lookup('pipe', 'ssh-keyscan -t ed25519 ' + hostvars[item].ansible_host) }}"
    state: present
  loop: "{{ groups['all'] }}"
  delegate_to: localhost
  run_once: true

Accept on First Use (TOFU)

# ansible.cfg — accept first time, verify subsequent
[ssh_connection]
ssh_args = -o StrictHostKeyChecking=accept-new

| Setting | Behavior | |---------|----------| | StrictHostKeyChecking=yes | Reject unknown hosts (safest) | | StrictHostKeyChecking=accept-new | Accept first, reject changes | | StrictHostKeyChecking=no | Always accept (least safe) |

When to Disable

| Environment | Recommendation | |-------------|---------------| | Lab/Dev | Disable (false) — hosts change frequently | | CI/CD | Disable or TOFU — ephemeral environments | | Staging | TOFU (accept-new) — semi-stable | | Production | Enable (true) — security matters |

Scan and Add All Keys

# Bulk add to known_hosts
for host in web1 web2 db1; do
  ssh-keyscan -t ed25519 $host >> ~/.ssh/known_hosts 2>/dev/null
done
# Ansible way
- name: Populate known_hosts
  ansible.builtin.known_hosts:
    name: "{{ item }}"
    key: "{{ lookup('pipe', 'ssh-keyscan ' + item + ' 2>/dev/null') }}"
  loop: "{{ groups['all'] | map('extract', hostvars, 'ansible_host') | list }}"
  delegate_to: localhost

FAQ

Why does host key checking exist?

It protects against man-in-the-middle attacks. If a host's key changes unexpectedly, someone may be intercepting your connection.

"REMOTE HOST IDENTIFICATION HAS CHANGED" error?

The host key changed (server rebuilt, IP reused). Remove old key:

ssh-keygen -R 192.168.1.100

Is it safe to disable globally?

Only in development/lab environments. In production, use accept-new or pre-populate known_hosts.

Quick Fix

# ansible.cfg
[defaults]
host_key_checking = False

Environment Variable

export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook site.yml

Per-Host Setting

# inventory
[lab]
lab1 ansible_host=10.0.1.10 ansible_ssh_common_args='-o StrictHostKeyChecking=no'

SSH Arguments in ansible.cfg

[ssh_connection]
ssh_args = -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Per-Play Setting

- hosts: lab_servers
  vars:
    ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
  tasks:
    - ping:

Production: Accept Key on First Connect

# Safer: accept new keys, reject changed keys
# ansible.cfg
[ssh_connection]
ssh_args = -o StrictHostKeyChecking=accept-new

Pre-Populate known_hosts

# Most secure: add known keys before connecting
- name: Add host keys
  known_hosts:
    name: "{{ item }}"
    key: "{{ lookup('pipe', 'ssh-keyscan -t ed25519 ' + item) }}"
    state: present
  loop: "{{ groups['all'] }}"
  delegate_to: localhost

StrictHostKeyChecking Options

| Value | Behavior | |-------|----------| | yes | Reject unknown/changed keys (most secure) | | accept-new | Accept new keys, reject changed keys | | no | Accept all keys (least secure) | | ask | Prompt user (default SSH behavior) |

When to Disable

• ✅ Lab/test environments with dynamic VMs • ✅ CI/CD pipelines with ephemeral hosts • ✅ Initial provisioning of new servers • ❌ Production (use accept-new or pre-populated known_hosts)

FAQ

Why does Ansible check host keys?

To prevent man-in-the-middle attacks. If a server's key changes unexpectedly, someone might be intercepting your connection.

"Host key verification failed" error?

The host key changed (server rebuilt, IP reused). Remove old key: ssh-keygen -R hostname or disable checking.

Can I disable per-group?

[lab:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'

Related Articles

the Ansible inventory deep-dive

Category: installation

Watch the video: Ansible Disable SSH Host Key Checking: Configuration Guide — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home