I found the necessary info here: http://maven.apache.org/plugins/maven-deploy-plugin/examples/deploy-ssh-external.html

You should be able to specify the path to the private key in the server element in your settings.xml:

The repositories for download and deployment are defined by the repositories and distributionManagement elements of the POM. However, certain settings such as username and password should not be distributed along with the pom.xml. This type of information should exist on the build server in the settings.xml.

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                      http://maven.apache.org/xsd/settings-1.0.0.xsd">
  ...
  <servers>
    <server>
      <id>server001</id>
      <username>my_login</username>
      <password>my_password</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <passphrase>some_passphrase</passphrase>
      <filePermissions>664</filePermissions>
      <directoryPermissions>775</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
  ...
</settings>

• id: This is the ID of the server (not of the user to login as) that matches the id element of the repository/mirror that Maven tries to connect to.
• username, password: These elements appear as a pair denoting the login and password required to authenticate to this server.
• privateKey, passphrase: Like the previous two elements, this pair specifies a path to a private key (default is ${user.home}/.ssh/id_dsa) and a passphrase, if required. The passphrase and password elements may be externalized in the future, but for now they must be set plain-text in the settings.xml file.
• filePermissions, directoryPermissions: When a repository file or directory is created on deployment, these are the permissions to use. The legal values of each is a three digit number corresponding to *nix file permissions, ie. 664, or 775.

Note: If you use a private key to login to the server, make sure you omit the <password> element. Otherwise, the key will be ignored.

Password Encryption

A new feature - server password and passphrase encryption has been added to 2.1.x and 3.0 trunks. See details on this page.

Pay a special attention to the "note": If you use a private key to login to the server, make sure you omit the <password> element. Otherwise, the key will be ignored. So the final configuration will be close to:

<settings>
  ...
  <servers>
    <server>
      <id>ssh-repository</id>
      <username>your username in the remote system</username>
      <privateKey>/path/to/your/private/key</privateKey>
      <passphrase>sUp3rStr0ngP4s5wOrD</passphrase><!-- if required --> 
      <configuration>
        ...
      </configuration>
    </server>
  </servers>
  ...
</settings>

I know this is an old thread, but it looks like the Wagon plugin is reading settings.xml (e.g. username) but not using all of the settings. I could not get it to stop asking for Kerberos username/password during scp. (Looks like there might have been changes to plugin late 2016 that affect this.) Just adding this answer in case it helps someone else.

For me, the solution was even simpler: totally skip using 'settings.xml' and simply specify 'scpexe' instead of 'scp' for protocol (like under distributionManagement section of pom.xml). This then uses your machine's default SSH configuration (unix settings under ~/.ssh).

<plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>wagon-maven-plugin</artifactId>
  <version>1.0</version>
  <executions>
    <execution>
      <id>upload-to-server</id>
      <phase>deploy</phase>
      <goals><goal>upload-single</goal></goals>
      <configuration>
        <fromFile>file-to-upload</fromfile>
        <url>scpexe://username@serverName/dirname-to-copy-to
        <toFile>file-to-upload</toFile>
      </configuration>
    </execution>
  </executions>
</plugin>