When installing the openssh-portable (7.1.p1_2,1) the following
advice is displayed:
Users are encouraged to create single-purpose users with ssh keys, disable
Password auth with 'PasswordAuthentication no' and define very narrow sudo
privileges instead of using root for automated tasks.
which is half-true / misleading.
Actually it is necessary to also set:
otherwise the PAM mechanism will still allow authentication
through a password if authentication with a key fails,
leaving a host open to password-guessing attacks.
Good catch. I had that in my local setup as well. I've updated the message.
A commit references this bug:
Date: Wed Nov 11 18:04:41 UTC 2015
New revision: 401289
Update advice to disable ChallengeResponseAuthentication for key usage.
Reported by: Mark.Martinec@ijs.si