The goal is to bypass the keys offered by gnupg-agent with the following configuration in /etc/ssh/ssh_config:
Host 192.168.*.* 172.16.*.* 172.17.*.* 172.18.*.* 172.19.*.* 172.20.*.* 172.21.*.* 12.0.*.* 4.65.*.* 10.*.*.* *_*
RSAAuthentication yes
HostbasedAuthentication yes
CheckHostIP yes
StrictHostKeyChecking ask
PubkeyAuthentication yes
ControlPersist yes
IdentitiesOnly yes
IdentityFile /root/.ssh/id_rsa_4096_ssh2
IdentityFile /root/.ssh/id_rsa
...
In practice, ssh begins with the second key, id_rsa, instead of id_rsa_4096_ssh2:
OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for 172.21.*.*
debug1: /etc/ssh/ssh_config line 72: Skipping Host block because of negated match for 172.21.*.*
debug1: Connecting to 172.21.100.201 [172.21.100.201] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
Authentication failed.
If I comment out id_rsa, it then offers the first key:
IdentitiesOnly yes
IdentityFile /root/.ssh/id_rsa_4096_ssh2
# IdentityFile /root/.ssh/id_rsa
OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for 172.21.*.*
...
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa_4096_ssh2
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Authentication succeeded (publickey).
--
Jean-Christophe