Please note that the PasswordAuthentication setting does not control ALL password-based authentication. ChallengeResponseAuthentication usually also asks for passwords.
PasswordAuthentication controls support for the 'password' authentication scheme defined in RFC-4252 (section 8). ChallengeResponseAuthentication controls support for the 'keyboard-interactive' authentication scheme defined in RFC-4256. The 'keyboard-interactive' authentication scheme could, in theory, ask a user any number of multi-facited questions. In practice it often asks only for the user's password.
If you want to fully disable password-based authentication, set BOTH PasswordAuthentication and ChallengeResponseAuthentication to 'no'. If you're of the belt-and-suspenders mindset, consider setting UsePAM to 'no' as well.
Public/Private Key-based authentication (enabled by the PubkeyAuthentication setting) is a separate type of authentication that does not involve sending user passwords to the server, of course.
Some would argue that using ChallengeResponseAuthentication is more secure than PasswordAuthentication because it is more difficult to automate. They therefore recommend leaving PasswordAuthentication disabled while leaving ChallengeResponseAuthentication enabled. This configuration also encourages (but does not necessarily prevent) use of publickey authentication for any automated system logins. But, since SSH is a network-based protocol, the server has no way to guarantee that responses to ChallengeResponseAuthentication (a.k.a. 'keyboard-interactive') are actually being provided by a user sitting at a keyboard so long as the challenge(s) always and only consists of asking a user for her password.
okay so for authorized_key2 only: (1) comment out the AuthorizedKeysFile (2) PasswordAuthentication no (3) PubkeyAuthentication yes (4) ChallengeResponseAuthentication no (5) test it ... if it still accepts passwords, also add UsePam no – YumYumYum – 2014-07-01T08:09:14.377
Use this settings: http://fpaste.org/114544/04202660/ when only allow SSH login via ~/.ssh/authorized_keys2 but not with username/password
– YumYumYum – 2014-07-01T08:22:19.3001and what's the DEFAULT value of it? I mean, what if I don't specify any "PasswordAuthentication" ? – Riccardo SCE – 2014-08-14T10:14:25.717
@TSERiccardo: Nobody answered your question? It's a shame, blame SO! – Timo – 2018-01-17T17:14:47.413
Nope nobody did :P – Riccardo SCE – 2018-01-18T12:33:21.997
1@RiccardoSCE According to the sshd_config man page, the default for PasswordAuthentication is 'yes'. – Starfish – 2019-03-01T17:27:52.860