Working with managed nodes with password (not passphrase)

In all the examples till now we have used password less communication by setting up a passphrase with no password. So that the controller is able to communicate with the managed nodes without prompting for any password.

But this is again not a strict requirement (although recommended). We can also use password based communication between controller and managed nodes. To demonstrate this example I have removed authorized_keys entry for controller node on server3 so now password less communication won't work for server3.

I have updated my /etc/hosts on all the nodes with the details of server3 which is created using the AMI Image of one of our managed nodes.

[ansible@controller ~]$ cat /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6    controller    server1    server2    server3

Next we will update our inventory to also include this host

[ansible@controller ~]$ head -n 3 /etc/ansible/hosts

Now if I try to do a plain SSH from controller to server3, it should prompt me for password:

[ansible@controller ~]$ ssh server3
ansible@server3's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Mon Sep 21 07:46:47 2020
[ansible@server3 ~]$

So our password less communication is not working any more. Let us now use ansible to ping to this managed node:

[ansible@controller ~]$ ansible server3 -m ping
server3 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ansible@server3: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true

So the ansible has failed because by default ansible will not prompt for any password so we must supply --ask-pass or -k to make ansible prompt for the password.

[ansible@controller ~]$ ansible server3 -m ping --ask-pass
SSH password:
server3 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    "changed": false,
    "ping": "pong"

Now you can execute any ad-hoc command or playbook using ansible with --ask-pass without the need for passphrase.


What's Next

Next in our Ansible Tutorial we will learn about Jinja2 templates and syntax


Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.