As part of my internship at Savoir-faire Linux I had to configure an ssh server for Kerberos authentication, and to make sure I would log in with my Kerberos password and not my server’s local account, I wanted to disable password authentication altogether.
The first option that comes to mind is PasswordAuthentication defined in rfc 4252 section 8. PasswordAuthentication allows an authentication method in which the client will prompt the user for his password and will then send it to the server. This is what the sshd_config file comments as ‘tunneled clear text password’. If you connect to the server with the -v flag, this is the “password” method.
However if you disable this option you might find that password authentication still works. And this is where the option ChallengeResponseAuthentication as defined in rfc 4256(yes I looked for the rfc , the manuals wasn’t clear about these options) comes in action. ChallengeResponseAuthentication allows an authentication method in which the server sends a challenge to the client, with its associated instructions and prompts, to which the user must often keyboard-interactively answer to. ChallengeResponseAuthentication won’t work if sshd has no challenge to propose to the client. The challenges aren’t defined in sshd. The challenges come from PAM modules or other authentication schemes that might be enabled. This is the “keyboard-interactive” method.
On most distros, the default for PAM is to ask the password against the local database.
So to disable password authentication, you should set PasswordAuthentication to no AND ChallengeResponseAuthentication or UsePAM to no. Otherwise you could also change defaults PAM settings, but it is trickier/dangerous if you don’t already know PAM.