Ansible SSH Username & Password: Connection Configuration Guide
By Luca Berton · Published 2024-01-01 · Category: installation
How to set default SSH username and password in Ansible. Configure ansible.cfg, inventory vars, vault-encrypted credentials, and SSH key authentication.
Learn how to configure default SSH credentials for seamless Ansible automation.
Introduction
When using Ansible to manage infrastructure, specifying the same username and password for each host in the inventory file can be repetitive. To streamline this process and set default credentials globally, follow these best practices.
---
1. Setting Default Variables in the Inventory File
You can use the [all:vars] group in your inventory file to define default values for all hosts.
For example:
This method eliminates the need to specify ansible_user and ansible_password for individual hosts.
---
2. Using Group Variables
If you want to specify default credentials for a specific group of hosts, you can create a directory structure following Ansible best practices. For instance:
Content of all.yml:
You can also create separate files for each group like group_vars/master.yml for the master group.
---
3. Dynamic Inventory or Central Configuration
For larger environments: • Use dynamic inventory scripts to generate host details dynamically. • Define these variables in ansible.cfg to make them universally available.
For ansible.cfg:
---
4. Avoid Hardcoding Credentials
While these methods work well, hardcoding credentials in plain text is a security risk. To secure your Ansible environment: • Use SSH keys instead of passwords. • Store sensitive credentials in encrypted files using Ansible Vault: Add credentials securely: Use these variables in playbooks:
---
5. Testing Your Configuration
Run a basic ping command to ensure your configuration works:
If configured correctly, the output should confirm successful connectivity without needing to repeatedly specify credentials.
---
By following these methods, you can manage credentials effectively, reduce redundancy, and ensure secure and streamlined automation using Ansible.
Set Default SSH User
In inventory
In group_vars
In ansible.cfg
Per host override
SSH Password Authentication
Inventory variable
Command line
Requires sshpass
SSH Key Authentication (Recommended)
Deploy SSH key to hosts
Disable password auth after key setup
Connection Variables Reference
| Variable | Description | Default | |----------|-------------|---------| | ansible_user | SSH username | Current user | | ansible_password | SSH password | None (use key) | | ansible_ssh_private_key_file | SSH key path | ~/.ssh/id_rsa | | ansible_port | SSH port | 22 | | ansible_become | Enable sudo | false | | ansible_become_password | Sudo password | None | | ansible_connection | Connection type | ssh | | ansible_ssh_common_args | Extra SSH args | None |
Precedence Order
FAQ
SSH keys vs passwords - which should I use?
Always prefer SSH keys. They're more secure, don't require sshpass, and enable passwordless automation. Use password auth only for initial bootstrap.
How do I use different users for different host groups?
How do I store passwords securely?
Use Ansible Vault:
Never store plaintext passwords in inventory files.
Set in Inventory
Set in ansible.cfg
SSH Key Authentication (Recommended)
Password Authentication
Per-Group Credentials
Per-Host Credentials
Windows Hosts
SSH Agent Forwarding
Connection Variables Reference
| Variable | Description | |----------|-------------| | ansible_user | SSH username | | ansible_password | SSH password (use Vault!) | | ansible_ssh_private_key_file | Path to private key | | ansible_port | SSH port (default: 22) | | ansible_connection | ssh, local, winrm, docker | | ansible_become_password | sudo password | | ansible_host | IP or hostname to connect | | ansible_ssh_common_args | Extra SSH arguments |
FAQ
SSH keys vs passwords?
Keys are more secure and convenient. Passwords should only be used when keys aren't possible (legacy systems).
How do I manage SSH keys across a team?
Use a shared deploy key (stored in Vault), or use AAP/AWX which manages credentials centrally.
"Permission denied" even with correct password?
Check: SSH allows password auth (PasswordAuthentication yes in sshd_config), user exists, password is correct, and sshpass is installed on controller.
ansible.cfg Default User
Inventory Variables
Password Authentication
Vault-Encrypted Password
SSH Key Authentication (Recommended)
Per-Play Override
Connection Summary
| Setting | ansible.cfg | Inventory | Play vars | |---------|------------|-----------|-----------| | Username | remote_user | ansible_user | ansible_user | | Password | N/A | ansible_password | ansible_password | | SSH key | private_key_file | ansible_ssh_private_key_file | ansible_ssh_private_key_file | | Port | remote_port | ansible_port | ansible_port | | sudo pass | N/A | ansible_become_password | ansible_become_password |
FAQ
SSH key vs password?
Always prefer SSH keys — they're more secure, don't need to be stored in files, and support passphrase protection.
How to handle multiple users across environments?
Use group_vars/ per environment: group_vars/production.yml with one user, group_vars/staging.yml with another.
"Permission denied" after setting user?
Check: SSH key is in the correct user's ~/.ssh/authorized_keys, correct permissions (700 for .ssh, 600 for keys), and the user exists on the remote host.
Related Articles • Ansible Vault Guide • Ansible Become Guide • Ansible Inventory Guide
Category: installation