Ansible – SSH and Password Protected Private Keys (Linux)

It is recommended to password protect private SSH keys, so if they do ever end up in the wrong hands then a password is still needed to access them. If you wanted to go really secure Ansible Vault could be used to encrypt the private key alongside the password. This would require the key to be decrypted and then the private key’s password also entered for the key to work.

However, when using Ansible with a private SSH key that requires a password you may find that Ansible attempts to prompt for the password for each use of the key. This can be a pain, especially if the key is used for multiple hosts and each causes a password prompt.

The solution to this is to use the SSH Agent. Use the commands:

eval `ssh-agent`

Note: It’s a back tick in front of and after ssh-agent, and the ssh-add command will ask for the private key password.

This should add the private key to your SSH Agent and then when you run Ansible commands they should not ask for the SSH private key password. On logout the SSH Agent should close and require that the commands are used again on next logon to re-add the key. The SSH Agent process could also be ended (if you don’t trust it closing automatically).