Ansible Accept Host Keys the First Time

May 24, 2026

system-administration ssh networking

When running Ansible playbooks against new hosts, you'll encounter SSH's host key verification prompt. This is a security feature that prevents man-in-the-middle attacks, but it breaks automation since Ansible can't interactively accept the prompt.

The traditional workaround is to disable host key checking entirely with StrictHostKeyChecking=no, but this is insecure as it accepts any host key on every connection, even if the key has changed (which could indicate a security issue).

A better solution is StrictHostKeyChecking=accept-new, which accepts unknown host keys on first connection but will still warn you if a known host's key changes.

Configuration

First, create the Ansible configuration directory:

mkdir -p /etc/ansible

Then configure SSH to accept new host keys:

/etc/ansible/ansible.cfg

[ssh_connection]
ssh_args = -o StrictHostKeyChecking=accept-new

How It Works

This configuration tells Ansible's SSH connections to:

  • Accept new host keys automatically on first connection (no interactive prompt)
  • Add them to known_hosts for future reference
  • Still validate host keys on subsequent connections
  • Warn you if a previously-seen host key has changed

Security Comparison

Three common options for StrictHostKeyChecking:

  • yes (default) - Always verify, prompt for unknown hosts. Secure but breaks automation.
  • accept-new - Accept unknown hosts, verify known hosts. Recommended for automation.
  • no - Never verify host keys. Insecure, vulnerable to MITM attacks.

The accept-new option provides the best balance of security and automation convenience.