Introduction

Ansible marks a host UNREACHABLE when it cannot complete the SSH handshake at all. A very common variant is Host key verification failed, where the network path is fine but the client refuses to trust the server identity. The fix is to distinguish between reachability, authentication, and host key trust rather than disabling SSH checks immediately.

Symptoms

  • Ansible reports UNREACHABLE! for one or more hosts
  • SSH manually prompts about an unknown or changed host key
  • The same inventory used to work before a host rebuild or IP reuse
  • Some hosts connect while others fail with different SSH settings

Common Causes

  • The target host key changed after reprovisioning or IP reassignment
  • The control machine does not have the host key in known_hosts
  • Inventory values such as user, port, or private key path do not match the real host
  • The host is genuinely unreachable because of firewall, routing, or DNS problems

Step-by-Step Fix

  1. 1.Test plain SSH first
  2. 2.If raw SSH cannot connect, Ansible will not be able to either. Start with the exact user, key, and port that the inventory expects.
bash
ssh -i ~/.ssh/deploy_key deploy@example-host
  1. 1.Refresh the host key if the server was rebuilt or changed
  2. 2.A changed host key should be investigated, but after a legitimate rebuild you need to update local trust material.
bash
ssh-keygen -R example-host
ssh-keyscan example-host >> ~/.ssh/known_hosts
  1. 1.Verify the inventory SSH settings
  2. 2.A wrong port, user, or key file often looks like a reachability failure when the real issue is configuration drift.
ini
[web]
app01 ansible_user=deploy ansible_port=2222 ansible_ssh_private_key_file=~/.ssh/deploy_key
  1. 1.Disable host key checking only for controlled temporary situations
  2. 2.This is useful for disposable lab environments, not as the default fix for production automation.
ini
[defaults]
host_key_checking = False

Prevention

  • Keep SSH host key changes tied to rebuild procedures and inventory updates
  • Use stable hostnames and explicit inventory SSH settings
  • Test SSH connectivity outside Ansible before debugging playbook logic
  • Avoid permanently disabling host key checking in real environments