When transitioning from Puppet to Ansible, many administrators encounter SSH key authentication hurdles. While Ansible's agentless architecture is elegant, proper SSH configuration is crucial for seamless operation.
First, verify your manual SSH connection works:
ssh -i ~/.ssh/id_rsa user@10.0.0.5If this fails, troubleshoot your key distribution first. Common issues include:
- Incorrect permissions on ~/.ssh (should be 700)
- Public key not properly appended to ~/.ssh/authorized_keys
- SSH daemon configuration restricting key auth
Your inventory file (/etc/ansible/hosts) needs proper parameterization:
[test_servers]
10.0.0.5 ansible_user=deploy ansible_ssh_private_key_file=/home/deploy/.ssh/id_rsa
[prod_servers]
web1.example.com ansible_ssh_private_key_file=/etc/ansible/keys/prod_keyUse verbose output to diagnose problems:
ansible all -m ping -vvvvKey things to check in output:
- Which key file is being attempted
- Authentication method sequence
- SSH configuration parameters
For organization-wide standardization, configure ansible.cfg:
[defaults]
private_key_file = ~/.ssh/ansible_key
host_key_checking = False
remote_user = ansible_userFor environments with multiple keys:
eval ssh-agent
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/other_keyThen reference in inventory:
[servers]
10.0.0.5 ansible_ssh_extra_args='-o IdentitiesOnly=yes'Always:
- Use passphrase-protected keys
- Set proper file permissions (600 for keys)
- Rotate keys periodically
- Consider ansible-vault for sensitive variables
When migrating from Puppet to Ansible's agentless architecture, SSH key authentication becomes crucial for secure communication. The initial setup often trips up engineers due to subtle configuration requirements that differ from manual SSH usage.
The inventory file requires precise syntax for key-based authentication. Here's the corrected version:
[TEST]
10.0.0.5 ansible_ssh_private_key_file=/home/user/.ssh/id_rsa ansible_user=remoteuser
Common pitfalls include:
- Using tilde expansion (~) instead of full paths
- Omitting the remote username
- Incorrect file permissions
Ansible is particularly strict about key file permissions:
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 700 ~/.ssh
When authentication fails, use Ansible's verbose mode to pinpoint the exact failure point:
ansible all -m ping -vvvv
This reveals:
- Exact key file being attempted
- Authentication method sequence
- SSH client version compatibility
For complex environments, consider these ansible.cfg settings:
[defaults]
host_key_checking = False
private_key_file = /path/to/key
remote_user = admin
When managing multiple environments with different keys:
[production]
host1.example.com ansible_ssh_private_key_file=/keys/prod_key
[staging]
host2.example.com ansible_ssh_private_key_file=/keys/stage_key
For bastion host scenarios, enable agent forwarding:
ansible.cfg:
[ssh_connection]
ssh_args = -o ForwardAgent=yes
When key auth fails:
1. Verify key exists at specified path
2. Confirm remote user has .ssh/authorized_keys setup
3. Check SELinux/AppArmor restrictions
4. Test manual SSH connection first
5. Verify remote sshd_config allows key auth