SSH key generation vs. warnings

microlinux · June 7, 2025, 6:31am

Hi,

I have an Ansible role to setup the root account on AlmaLinux 9.x. Here’s what the task looks like:

- name: Set password and generate SSH key pair for root
  ansible.builtin.user:
    name: root
    password: >-
      {{root_passwd|
      password_hash('sha512', 65534|
      random(seed=inventory_hostname)|
      string)}}
    generate_ssh_key: true
    ssh_key_bits: 4096

When I run the corresponding playbook the first time, everything is OK and the SSH key pair is generated as expected.

But on subsequent runs, I get the following warning:

TASK [almalinux9_setup_root : Set password and generate SSH key pair for root] ****************************
[WARNING]: Found existing ssh key private file "/root/.ssh/id_rsa", no force, so skipping ssh-keygen
generation
ok: [localhost]

Shouldn’t this be silent and completely green, without a warning? After all, this is the expected behavior. The first run creates the SSH key pair for root, and subsequent runs just ignore SSH key pair creation since it’s already present.

Any suggestions ?

chris · June 7, 2025, 11:08am

Is the password changing each time causing the task to be run each time because force is not set?

microlinux · June 7, 2025, 11:29am

No, it’s not. Password is stored in vars/secret.yml and doesn’t change. I’m puzzled.

felixfontein · June 8, 2025, 12:22pm

Maybe the user module wants to tell you that it doesn’t really check the SSH keys, it only creates them when asked to (when not existing by default, or always if force=true), but it won’t check whether it matches your settings (like ssh_key_bits=4096).

U880D · December 23, 2025, 12:15pm

No, as you already mentioned, that is the expected behavior. You may have a look into the similar question about Module user WARNING:Found existing ssh key here.

I think the only option is to disable in Ansible Configuration Settings the ACTION_WARNINGS

By default, Ansible will issue a WARNING when received from a task action (module or action plugin). These warnings can be silenced by adjusting this setting to False.

by setting in example

grep 'defaults\|warnings' ansible.cfg
[defaults]
deprecation_warnings    = False
action_warnings         = False

and then resulting into an output of

TASK [ansible.builtin.user] ******************
ok: [localhost]

PLAY RECAP ***********************************
localhost                  : ok=1    changed=0

Topic		Replies	Views
Module user WARNING:Found existing ssh key Get Help idempotent	3	18	December 23, 2025
(0.9) slight change to user module Ansible Project	0	4	November 3, 2012
prompt for "SSH pasword" Ansible Project	3	132	June 20, 2016
waits for password when I don't want it to Ansible Project	1	19	January 29, 2020
Create user with ssh key, error deploying key Ansible Project	9	70	May 11, 2020

SSH key generation vs. warnings

Related topics