In the GoLinuxCloud Ansible course, EX294 lab setup normally configures passwordless SSH with keys—the recommended path for daily automation. Password prompts are a fallback when keys are missing, impractical, or you are recovering access on a host you cannot reach with your key.
This page explains SSH password authentication (-k / --ask-pass), how it differs from key passphrase prompts (-K / --ask-become-pass), and when Ansible needs sshpass on the control node.
Tested on: Rocky Linux 10.2 (Red Quartz); ansible-core 2.16.16.
~/ansible-project, inventory group lab, and playbooks in playbooks/. Use your own host names and paths if yours differ.
SSH password vs key passphrase
Two different secrets show up in Ansible workflows—do not confuse them:
| Prompt | Flag | What it unlocks |
|---|---|---|
| SSH login password | -k / --ask-pass |
Password for ansible_user on the managed host (PasswordAuthentication) |
| SSH private key passphrase | (OpenSSH prompts when you ssh) |
Passphrase that protects your local id_rsa / id_ed25519 key file—not the same as -k |
| sudo / become password | -K / --ask-become-pass |
Password for privilege escalation after SSH login succeeds |
Key-based auth with a passphrase still uses your SSH key; OpenSSH asks for the key passphrase locally. --ask-pass is for hosts that accept password login over SSH instead of (or in addition to) public keys.
When password-based SSH makes sense
Password SSH is useful when:
- You removed
authorized_keysand need temporary access - A managed node was rebuilt and keys were not redeployed yet
- Lab VMs use password login while you practice
--ask-pass
For production and the EX294 lab long term, deploy keys as in lab setup and passwordless SSH.
Lab example: server3 without authorized_keys
To demonstrate password auth, remove the authorized_keys entry for the control node on server3 so passwordless communication no longer works.
Updated /etc/hosts on the nodes:
[ansible@controller ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.7.253 controller controller.example.com
172.31.4.189 server1 server1.example.com
172.31.23.18 server2 server2.example.com
172.31.14.46 server3 server3.example.com
Add the host to inventory:
[ansible@controller ~]$ head -n 3 /etc/ansible/hosts
server1
server2
server3
Plain SSH from the controller should prompt for a password:
[ansible@controller ~]$ ssh server3
ansible@server3's password:
Log in to the managed node with ssh; the ssh command covers hostnames, users, and passwordless key setup.
[ansible@controller ~]$ ssh server3
ansible@server3's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Sep 21 07:46:47 2020
[ansible@server3 ~]$
Why ansible ping fails without --ask-pass
By default Ansible does not prompt for an SSH password:
[ansible@controller ~]$ ansible server3 -m ping
server3 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: ansible@server3: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
Supply -k or --ask-pass so Ansible prompts for the SSH password:
[ansible@controller ~]$ ansible server3 -m ping --ask-pass
SSH password:
server3 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
The same flag works for playbooks:
ansible-playbook playbooks/site.yml --ask-passIf connectivity still fails after supplying a password, work through Ansible troubleshooting before rewriting playbooks.
sshpass requirement on the control node
Non-interactive password auth (and some --ask-pass code paths) rely on sshpass on the control node. If Ansible reports that sshpass is required, install it on Rocky Linux 10:
sudo dnf install -y sshpasssshpass feeds the SSH password non-interactively. It is appropriate for labs and one-off recovery—not a substitute for keys in production. Storing SSH passwords in ansible.cfg, inventory, or environment variables is unsafe.
-K vs -k: become password is separate
| Flag | Long form | Prompt |
|---|---|---|
-k |
--ask-pass |
SSH login password for the remote user |
-K |
--ask-become-pass |
sudo / become password after login |
You can need both on the same run:
ansible-playbook playbooks/site.yml --ask-pass --ask-become-pass-k gets you onto the host; -K escalates privileges when become: true and sudo requires a password. Neither flag replaces SSH key passphrases—those are handled by ssh-agent or an interactive ssh prompt when your private key is encrypted.
Rocky Linux 10 notes
- Managed hosts must allow password authentication in
sshdif you use--ask-pass(PasswordAuthentication yesin/etc/ssh/sshd_config—hardening guides often disable this). - Python on the target is still required for most modules—the password only covers the SSH layer.
- Prefer key-based auth from lab setup; use
--ask-passwhen keys are unavailable, not as the default automation model.
What's Next
Next in our Ansible Tutorial we will learn about Jinja2 templates and syntax.

