diff --git a/ansible/roles/junos-switch/tasks/main.yml b/ansible/roles/junos-switch/tasks/main.yml
index 5855de86ea2cb8d6702d7e1d10653324ff197f1e..7c3176d4277f2cc717c4fc40dbdbd8773d67ec3d 100644
--- a/ansible/roles/junos-switch/tasks/main.yml
+++ b/ansible/roles/junos-switch/tasks/main.yml
@@ -2,12 +2,13 @@
 # The NETCONF client ncclient is required. This must be installed on the
 # Ansible control host where the ansible-connection subprocess is executed.
 - name: Ensure python dependencies are installed
+  vars:
+    # NOTE(mgoddard): 0.6.7 includes a fix for host key checking:
+    # https://github.com/ncclient/ncclient/issues/302.
+    ncclient_version: ">=0.6.7,<0.7.0"
   local_action:
     module: pip
-    # NOTE(mgoddard): Restrict ncclient to 0.6.2 or less, due to a bug in host
-    # key checking: https://github.com/ncclient/ncclient/issues/302.
-    # TODO(mgoddard): Remove this restriction when ncclient has been fixed.
-    name: ncclient<=0.6.2
+    name: "ncclient{{ ncclient_version }}"
     virtualenv: "{{ lookup('env', 'VIRTUAL_ENV') | default(omit, true) }}"
   become: "{{ lookup('env', 'VIRTUAL_ENV') == None }}"
   run_once: true