Working with managed nodes with password (not passphrase)

Connect Ansible to managed nodes with SSH passwords using --ask-pass (-k), understand -K vs -k, sshpass requirements, and when key-based auth is still preferred on Rocky Linux 10.

Published

Updated

Read time 4 min read

Reviewed byDeepak Prasad

Working with managed nodes with password (not passphrase)

In the GoLinuxCloud Ansible course, EX294 lab setup normally configures passwordless SSH with keys—the recommended path for daily automation. Password prompts are a fallback when keys are missing, impractical, or you are recovering access on a host you cannot reach with your key.

This page explains SSH password authentication (-k / --ask-pass), how it differs from key passphrase prompts (-K / --ask-become-pass), and when Ansible needs sshpass on the control node.

Tested on: Rocky Linux 10.2 (Red Quartz); ansible-core 2.16.16.

NOTE
This chapter is part of the GoLinuxCloud Ansible tutorial (RHCE EX294). Follow along from ~/ansible-project, inventory group lab, and playbooks in playbooks/. Use your own host names and paths if yours differ.

SSH password vs key passphrase

Two different secrets show up in Ansible workflows—do not confuse them:

Prompt Flag What it unlocks
SSH login password -k / --ask-pass Password for ansible_user on the managed host (PasswordAuthentication)
SSH private key passphrase (OpenSSH prompts when you ssh) Passphrase that protects your local id_rsa / id_ed25519 key file—not the same as -k
sudo / become password -K / --ask-become-pass Password for privilege escalation after SSH login succeeds

Key-based auth with a passphrase still uses your SSH key; OpenSSH asks for the key passphrase locally. --ask-pass is for hosts that accept password login over SSH instead of (or in addition to) public keys.


When password-based SSH makes sense

Password SSH is useful when:

  • You removed authorized_keys and need temporary access
  • A managed node was rebuilt and keys were not redeployed yet
  • Lab VMs use password login while you practice --ask-pass

For production and the EX294 lab long term, deploy keys as in lab setup and passwordless SSH.


Lab example: server3 without authorized_keys

To demonstrate password auth, remove the authorized_keys entry for the control node on server3 so passwordless communication no longer works.

Updated /etc/hosts on the nodes:

[ansible@controller ~]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.7.253    controller      controller.example.com
172.31.4.189    server1         server1.example.com
172.31.23.18    server2         server2.example.com
172.31.14.46    server3         server3.example.com

Add the host to inventory:

[ansible@controller ~]$ head -n 3 /etc/ansible/hosts
server1
server2
server3

Plain SSH from the controller should prompt for a password:

[ansible@controller ~]$ ssh server3
ansible@server3's password:

Log in to the managed node with ssh; the ssh command covers hostnames, users, and passwordless key setup.

[ansible@controller ~]$ ssh server3
ansible@server3's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Mon Sep 21 07:46:47 2020
[ansible@server3 ~]$

Why ansible ping fails without --ask-pass

By default Ansible does not prompt for an SSH password:

[ansible@controller ~]$ ansible server3 -m ping
server3 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ansible@server3: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}

Supply -k or --ask-pass so Ansible prompts for the SSH password:

[ansible@controller ~]$ ansible server3 -m ping --ask-pass
SSH password:
server3 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

The same flag works for playbooks:

bash
ansible-playbook playbooks/site.yml --ask-pass

If connectivity still fails after supplying a password, work through Ansible troubleshooting before rewriting playbooks.


sshpass requirement on the control node

Non-interactive password auth (and some --ask-pass code paths) rely on sshpass on the control node. If Ansible reports that sshpass is required, install it on Rocky Linux 10:

bash
sudo dnf install -y sshpass

sshpass feeds the SSH password non-interactively. It is appropriate for labs and one-off recovery—not a substitute for keys in production. Storing SSH passwords in ansible.cfg, inventory, or environment variables is unsafe.


-K vs -k: become password is separate

Flag Long form Prompt
-k --ask-pass SSH login password for the remote user
-K --ask-become-pass sudo / become password after login

You can need both on the same run:

bash
ansible-playbook playbooks/site.yml --ask-pass --ask-become-pass

-k gets you onto the host; -K escalates privileges when become: true and sudo requires a password. Neither flag replaces SSH key passphrases—those are handled by ssh-agent or an interactive ssh prompt when your private key is encrypted.


Rocky Linux 10 notes

  • Managed hosts must allow password authentication in sshd if you use --ask-pass (PasswordAuthentication yes in /etc/ssh/sshd_config—hardening guides often disable this).
  • Python on the target is still required for most modules—the password only covers the SSH layer.
  • Prefer key-based auth from lab setup; use --ask-pass when keys are unavailable, not as the default automation model.

What's Next

Next in our Ansible Tutorial we will learn about Jinja2 templates and syntax.

Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …