Resolving Ansible SSH SFTP Connection Failures When SFTP Subsystem is Disabled


2 views

When attempting to execute simple Ansible commands like:

ansible all -a "/bin/echo hello" -u myuser

Many administrators encounter the frustrating error:

mydomain.myhost.com | FAILED => failed to open a SFTP connection (Channel closed.)

Ansible primarily uses SFTP for file transfer operations because:

  • It's more secure than traditional SCP
  • Provides better file manipulation capabilities
  • Supports resuming interrupted transfers

Option 1: Enable SCP fallback (recommended)

Modify your ansible.cfg:

[defaults]
scp_if_ssh = True

Option 2: Force SCP via environment variable

export ANSIBLE_SCP_IF_SSH=1
ansible all -a "/bin/echo hello" -u myuser

For deeper diagnostics, run Ansible with verbose output:

ANSIBLE_DEBUG=1 ansible all -a "/bin/echo hello" -u myuser -vvv

For systems where neither SFTP nor SCP are available, consider:

[ssh_connection]
# Use pure SSH command channel
transfer_method = pipelining
pipelining = True

When modifying transfer methods:

  • SCP may be less secure than SFTP in some implementations
  • Pipelining may have performance impacts
  • Always test changes in non-production environments first

When working with Ansible, you might encounter the error:

mydomain.myhost.com | FAILED => failed to open a SFTP connection (Channel closed.)

This occurs because Ansible does require SFTP functionality by default when using the SSH connection plugin, which is its primary transport mechanism.

Ansible relies on SFTP for two critical operations:

  • Transferring modules to managed nodes
  • Handling file operations (copy, template modules, etc.)

The SFTP subsystem is typically part of OpenSSH installations, but some hardened systems disable it for security reasons.

You have several approaches to resolve this:

1. Enable SFTP Subsystem (Recommended)

Edit /etc/ssh/sshd_config on the managed node:

Subsystem sftp /usr/lib/openssh/sftp-server

Then restart SSH:

sudo systemctl restart sshd

2. Force SCP Instead of SFTP

In your ansible.cfg:

[ssh_connection]
scp_if_ssh = True

Important notes about this approach:

  • Requires scp to be available on both controller and managed nodes
  • May be slower for large file transfers
  • Some modules may not work properly

3. Alternative Connection Methods

For completely SFTP-free operation, consider:

ansible all -m raw -a "/bin/echo hello" -u myuser

Or set in inventory:

[all:vars]
ansible_connection=paramiko

If scp_if_ssh=True isn't working:

  1. Verify the config file location (Ansible checks in this order):
    • ANSIBLE_CONFIG environment variable
    • ./ansible.cfg
    • ~/.ansible.cfg
    • /etc/ansible/ansible.cfg
  2. Check for syntax errors in ansible.cfg
  3. Verify the setting is under the correct section header

When choosing between SFTP and SCP:

Method Speed Reliability Security
SFTP (default) Faster for many small files More robust Better crypto (SSH2)
SCP Faster for large files Basic error handling Uses SSH1 crypto by default 
- name: Example playbook with SCP transport
  hosts: all
  vars:
    ansible_ssh_transport: scp
  tasks:
    - name: Test connection
      command: hostname
      register: result
    - debug: var=result.stdout

Remember that some modules (like copy and template) may still attempt SFTP operations even with SCP transport enabled.