diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
index 355efbaf26e..5b56d2515be 100644
--- a/lib/ansible/playbook/play_context.py
+++ b/lib/ansible/playbook/play_context.py
@@ -24,6 +24,7 @@ __metaclass__ = type
 import pipes
 import random
 import re
+import tempfile
 
 from ansible import constants as C
 from ansible.errors import AnsibleError
@@ -199,6 +200,10 @@ class PlayContext(Base):
         self.password    = passwords.get('conn_pass','')
         self.become_pass = passwords.get('become_pass','')
 
+        # A temporary file (opened pre-fork) used by connection
+        # plugins for inter-process locking.
+        self.connection_lockf = tempfile.TemporaryFile()
+
         # set options before play to allow play to override them
         if options:
             self.set_options(options)
@@ -322,6 +327,11 @@ class PlayContext(Base):
 
         return new_info
 
+    def copy(self, exclude_block=False):
+        new_me = super(PlayContext, self).copy()
+        new_me.connection_lockf = self.connection_lockf
+        return new_me
+
     def make_become_cmd(self, cmd, executable=None):
         """ helper function to create privilege escalation commands """
 
diff --git a/lib/ansible/plugins/connections/__init__.py b/lib/ansible/plugins/connections/__init__.py
index 1ad28763817..0e4b3466e51 100644
--- a/lib/ansible/plugins/connections/__init__.py
+++ b/lib/ansible/plugins/connections/__init__.py
@@ -155,3 +155,13 @@ class ConnectionBase(with_metaclass(ABCMeta, object)):
         if incorrect_password in output:
             raise AnsibleError('Incorrect %s password' % self._play_context.become_method)
 
+    def lock_connection(self):
+        f = self._play_context.connection_lockf
+        self._display.vvvv('CONNECTION: pid %d waiting for lock on %d' % (os.getpid(), f.fileno()))
+        fcntl.lockf(f.fileno(), fcntl.LOCK_EX)
+        self._display.vvvv('CONNECTION: pid %d acquired lock on %d' % (os.getpid(), f.fileno()))
+
+    def unlock_connection(self):
+        f = self._play_context.connection_lockf
+        fcntl.lockf(f.fileno(), fcntl.LOCK_UN)
+        self._display.vvvv('CONNECTION: pid %d released lock on %d' % (os.getpid(), f.fileno()))
diff --git a/lib/ansible/plugins/connections/paramiko_ssh.py b/lib/ansible/plugins/connections/paramiko_ssh.py
index df97a6e3a58..214e6b5a03e 100644
--- a/lib/ansible/plugins/connections/paramiko_ssh.py
+++ b/lib/ansible/plugins/connections/paramiko_ssh.py
@@ -71,16 +71,15 @@ class MyAddPolicy(object):
     local L{HostKeys} object, and saving it.  This is used by L{SSHClient}.
     """
 
-    def __init__(self, new_stdin):
+    def __init__(self, new_stdin, connection):
         self._new_stdin = new_stdin
+        self.connection = connection
 
     def missing_host_key(self, client, hostname, key):
 
         if C.HOST_KEY_CHECKING:
 
-            # FIXME: need to fix lock file stuff
-            #fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX)
-            #fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_EX)
+            self.connection.lock_connection()
 
             old_stdin = sys.stdin
             sys.stdin = self._new_stdin
@@ -94,17 +93,11 @@ class MyAddPolicy(object):
             inp = raw_input(AUTHENTICITY_MSG % (hostname, ktype, fingerprint))
             sys.stdin = old_stdin
 
+            self.connection.unlock_connection()
+
             if inp not in ['yes','y','']:
-                # FIXME: lock file stuff
-                #fcntl.flock(self.runner.output_lockfile, fcntl.LOCK_UN)
-                #fcntl.flock(self.runner.process_lockfile, fcntl.LOCK_UN)
                 raise AnsibleError("host connection rejected by user")
 
-            # FIXME: lock file stuff
-            #fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_UN)
-            #fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN)
-
-
         key._added_by_ansible_this_time = True
 
         # existing implementation below:
@@ -159,7 +152,7 @@ class Connection(ConnectionBase):
                 pass # file was not found, but not required to function
             ssh.load_system_host_keys()
 
-        ssh.set_missing_host_key_policy(MyAddPolicy(self._new_stdin))
+        ssh.set_missing_host_key_policy(MyAddPolicy(self._new_stdin, self))
 
         allow_agent = True
 
@@ -365,6 +358,9 @@ class Connection(ConnectionBase):
         if C.HOST_KEY_CHECKING and C.PARAMIKO_RECORD_HOST_KEYS and self._any_keys_added():
 
             # add any new SSH host keys -- warning -- this could be slow
+            # (This doesn't acquire the connection lock because it needs
+            # to exclude only other known_hosts writers, not connections
+            # that are starting up.)
             lockfile = self.keyfile.replace("known_hosts",".known_hosts.lock")
             dirname = os.path.dirname(self.keyfile)
             makedirs_safe(dirname)