Home / Ansible / WordPress troubleshooting: Ansible SSH Host Key Verification Failed

Ansible

WordPress troubleshooting: Ansible SSH Host Key Verification Failed

Ansible SSH connections fail with host key verification errors when target host keys are missing from known_hosts or have changed due to server rebuilds.

Published: Jan 22, 20268 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

When Ansible connects to a managed host via SSH, it verifies the server's host key against the local known_hosts file to prevent man-in-the-middle attacks. If the host key doesn't match (because the server was rebuilt, IP was reassigned, or this is the first connection), Ansible marks the host as UNREACHABLE and refuses to proceed. While this security feature protects against MITM attacks, it commonly breaks automation after infrastructure changes.

Understanding the difference between legitimate host key changes (server rebuilds) and potential security issues is critical for resolving these errors safely.

Symptoms

Host key verification failed:

bash

$ ansible web-server -m ping
web-server | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @\r\n@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!@\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the RSA key sent by the remote host is\r\nSHA256:abc123...\r\nPlease contact your system administrator.\r\nAdd correct host key in /home/user/.ssh/known_hosts to get rid of this message.\r\nHost key verification failed.\r\n",
    "unreachable": true
}

Unknown host key:

bash

$ ansible new-server -m ping
new-server | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Host key verification failed.\r\n",
    "unreachable": true
}

SSH directly shows the issue:

bash

$ ssh web-server
The authenticity of host 'web-server (10.0.1.50)' can't be established.
ECDSA key fingerprint is SHA256:xyz789...
Are you sure you want to continue connecting (yes/no/[fingerprint])?

After server rebuild:

bash

$ ssh rebuilt-server
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:newkey123...
Offending RSA key in /home/user/.ssh/known_hosts:15
RSA host key for rebuilt-server has changed
Host key verification failed.

Checking known_hosts:

bash

$ cat ~/.ssh/known_hosts | grep web-server
web-server ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...oldkey...
# This key no longer matches the server

Common Causes

1. Server Rebuilt or Reinstalled

New OS installation generates new SSH host keys:

```bash # Before rebuild web-server: ssh-rsa AAAAB3...oldkey...

# After rebuild - server has new key web-server: ssh-rsa AAAAB3...newkey... ```

2. IP Address Reassigned

IP reused by a different server with different host keys:

bash

# IP 10.0.1.50 was server-a
# Now IP 10.0.1.50 is server-b with different keys

3. First Connection to New Host

Host key not yet in known_hosts:

bash

$ grep new-server ~/.ssh/known_hosts
# No entry - first connection

4. SSH Port or Protocol Changed

Server reconfigured with different SSH settings:

bash

# Server changed from RSA to ECDSA
# Or from port 22 to port 2222

5. Load Balancer or Proxy

Connecting through a proxy that presents different keys:

bash

# Direct connection to web-server uses key A
# Connection through bastion uses key B

6. DNS Change

Hostname now resolves to different IP:

bash

# web-server.example.com was 10.0.1.50
# Now resolves to 10.0.1.60 (different host)

Step-by-Step Fix

Step 1: Verify This Is a Legitimate Change

Before removing host keys, verify the change is expected:

```bash # Check if this was a known rebuild # Verify with your infrastructure team or check CI/CD logs

# Test with verbose SSH to see fingerprint ssh -v web-server 2>&1 | grep "fingerprint"

# Compare with expected fingerprint (from your config management) ssh-keyscan web-server | ssh-keygen -lf - ```

Step 2: Remove Old Host Key

Remove the outdated host key entry:

```bash # Remove by hostname ssh-keygen -R web-server

# Remove by IP address ssh-keygen -R 10.0.1.50

# Remove both hostname and IP ssh-keygen -R web-server.example.com ssh-keygen -R web-server ssh-keygen -R 10.0.1.50

# View the change cat ~/.ssh/known_hosts ```

Step 3: Add New Host Key

Add the correct host key:

```bash # Method 1: SSH and accept manually (verify fingerprint first!) ssh web-server # Type 'yes' when prompted

# Method 2: Use ssh-keyscan (automated) ssh-keyscan -H web-server >> ~/.ssh/known_hosts

# Method 3: With specific key type ssh-keyscan -t rsa,ecdsa,ed25519 web-server >> ~/.ssh/known_hosts

# Method 4: With port specified ssh-keyscan -p 2222 web-server >> ~/.ssh/known_hosts ```

Step 4: Verify Connection Works

Test SSH connection:

```bash # Test direct SSH ssh web-server "hostname"

# Test with Ansible ansible web-server -m ping

# Test with verbose output ansible web-server -m ping -vvv ```

Step 5: Automate Host Key Management

Create a playbook for host key management:

```yaml # manage_host_keys.yml - name: Manage SSH host keys hosts: localhost gather_facts: false vars: target_hosts: "{{ groups['all'] }}" known_hosts_file: ~/.ssh/known_hosts

tasks: - name: Get host keys for all targets shell: | ssh-keyscan -H {{ item }} >> {{ known_hosts_file }} 2>/dev/null loop: "{{ target_hosts }}" changed_when: true register: keyscan

name: Verify all hosts are reachable
ansible.builtin.wait_for:
host: "{{ item }}"
port: 22
timeout: 10
loop: "{{ target_hosts }}"
delegate_to: localhost
run_once: true
`

Step 6: Configure Host Key Checking

For controlled environments, you can adjust host key checking:

```ini # ansible.cfg - DO NOT DISABLE IN PRODUCTION [defaults] # Disable host key checking (not recommended for production) host_key_checking = False

# Use SSH arguments to disable per-session [ssh_connection] ssh_args = -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ```

Better approach - use environment-specific config:

```ini # ansible.cfg (production) [defaults] host_key_checking = True

# group_vars/development.yml ansible_ssh_common_args: "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" ```

Step 7: Handle Host Key Changes in CI/CD

Automate host key refresh in pipelines:

```yaml # refresh_host_keys.yml - name: Refresh SSH host keys after infrastructure changes hosts: localhost gather_facts: false vars: infrastructure_hosts: "{{ groups['target'] }}"

tasks: - name: Remove old host keys command: ssh-keygen -R {{ item }} loop: "{{ infrastructure_hosts }}" changed_when: "'updated' in result.stdout" failed_when: false register: remove_result

name: Scan new host keys
command: ssh-keyscan -H {{ item }}
register: new_keys
loop: "{{ infrastructure_hosts }}"
changed_when: false

name: Add new host keys to known_hosts
copy:
content: "{{ item.stdout }}\n"
dest: ~/.ssh/known_hosts
mode: '0600'
loop: "{{ new_keys.results }}"
when: item.stdout | length > 0

name: Verify connectivity
ansible.builtin.wait_for:
host: "{{ item }}"
port: 22
timeout: 30
loop: "{{ infrastructure_hosts }}"
`

Step 8: Use Hashed Known Hosts

Use hashed hostnames in known_hosts for security:

```bash # Scan with hashed hostnames ssh-keyscan -H web-server >> ~/.ssh/known_hosts

# The entry will be hashed: # |1|hashvalue|hashvalue ssh-rsa AAAAB3...

# To verify an entry exists for a host ssh-keygen -F web-server ```

Verification

Test SSH connectivity:

```bash # Test with SSH directly ssh web-server "echo 'Connection successful'"

# Test with Ansible ping ansible web-server -m ping

# Expected output: # web-server | SUCCESS => { # "ansible_facts": {...}, # "changed": false, # "ping": "pong" # }

# Test with verbose ansible web-server -m ping -vvv # Should not show host key errors ```

Verify known_hosts state:

```bash # Check host key exists ssh-keygen -F web-server

# Expected output: # # Host web-server found: line 15 # web-server ssh-rsa AAAAB3...

# List all known hosts cat ~/.ssh/known_hosts ```

Run actual playbook:

```bash # Run playbook against target ansible-playbook site.yml --limit web-server

# Verify no UNREACHABLE errors # All tasks should complete or fail for other reasons ```

[ansible-ssh-connection-refused-unreachable](/articles/ansible-ssh-connection-refused-unreachable)
[ansible-ssh-timeout-issues](/articles/ansible-ssh-timeout-issues)
[ansible-security-ssh-configuration](/articles/ansible-security-ssh-configuration)

[WordPress troubleshooting: Ansible Artifact Download Uses an Old Mi](ansible-artifact-download-uses-an-old-mirror-after-proxy-change)
[WordPress troubleshooting: Ansible Audit Trail Misses Events Under ](ansible-audit-trail-misses-events-under-burst-load)
[WordPress troubleshooting: Ansible Background Worker Gets Stuck in ](ansible-background-worker-stuck-in-a-retry-loop)
[WordPress troubleshooting: Ansible Backup Completes but Restore Fai](ansible-backup-completes-but-restore-fails-checksum-validation)
[WordPress troubleshooting: Ansible Batch Importer Duplicates Rows A](ansible-batch-importer-duplicates-rows-after-a-retry)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

WordPress troubleshooting: Ansible SSH Host Key Verification Failed WordPress troubleshooting: Ansible SSH Host Key Verification Failed Ansible WordPress troubleshooting: Ansible SSH Host Key Verification Failed troubleshooting WordPress troubleshooting: Ansible SSH Host Key Verification Failed fix Ansible SSH connections fail with host key verification errors when target host keys are missing from known_hosts or have changed due to server rebuilds Ansible Ansible SSH connections fail with host key verification errors when target host keys are missing from known_hosts or have changed due to server rebuilds

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

Ansible Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this ansible-errors troubleshooting guide applies to my situation?

This guide is designed for ansible-errors issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these ansible-errors troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of ansible-errors issue?

Most ansible-errors issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this ansible-errors issue from happening again?

Regular maintenance, monitoring, and following best practices for ansible-errors configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Jan 22, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation

WordPress troubleshooting: Ansible SSH Host Key Verification Failed

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Verify This Is a Legitimate Change

Step 2: Remove Old Host Key

Step 3: Add New Host Key

Step 4: Verify Connection Works

Step 5: Automate Host Key Management

Step 6: Configure Host Key Checking

Step 7: Handle Host Key Changes in CI/CD

Step 8: Use Hashed Known Hosts

Verification

Related Issues

Related Articles

People also search for

Share this guide

More Ansible Troubleshooting Guides

Browse Guides from Other Categories

Ansible Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading