Disable Strict Host Key Checking in Ansible [Workaround]

workaround Jan 14, 2020

So you've just figured out that due to a long-existing bug in ansible that you can't disable strict host key checking? As a quick workaround place the following into your inventory file.

[all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no -o userknownhostsfile=/dev/null'
Tested with ansible 2.9.2 [via pip].

What's strict host key verification and why would you want to disable it in the first place?

$ ansible -m ping -i inventories/production/hosts rns

rns1.example.com | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh:
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@
    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
    @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n
    [.....],
    "unreachable": true
}

Every time  you ssh' into a host for the very first time your ssh client is going to show the fingerprint of the target host's public key, prompting you to save it to your known hosts file. SSH has a ton of ways to verify host keys. The default is to check for an existing SSHFP record within DNS and if not found, fall back to the local known hosts file. You can disable key verification via DNS entirely by setting VerifyHostKeyDNS to No in your .ssh/config.

Host key verification is one of the mechanisms used to prevent MITM attacks which result in eavesdropping (e.g. passphrase fishing in case of interactive authentication). Using host key verification SSH makes sure you're connecting to the same target host every time by comparing the public key stored in the local known hosts file.

Depending on the situation, it might make sense to disable strict host key checking e.g. on an isolated network or a testing environment.

Cheers!

Jan Dennis Bungart

A network & systems engineer, advocate of free and open source software and a supporter of net neutrality.