My plan is to allow pub key everywhere, but also allow passwords internally. Why don't you recommend this? – Jarvin – 2011-12-18T20:35:26.723

The private key is kept on the user's box and is not copied, transmitted or accessible to the outside through the SSH protocols. With password authentication, the password is transmitted (through an encrypted channel, yes). Also, with pubkey plus ssh agents, password/passphrases are entered once per session, which means less chance of mistyping passwords. Assuming that you trust the credentials on your local network, then Pubkey could be considered sufficient authentication. I also use pubkey authentication (with command="" in authorized_keys) to audit who is signs into shared accounts. – Arcege – 2011-12-18T21:42:15.220

@Arcege, I think you misunderstood the restrictions required — it should be "Password no, Pubkey yes" for connections from outside. – user1686 – 2011-12-18T23:33:37.147

No, I just mistyped.. get that with two 5yos running around.. my apologies. Also need Host added to the Match line. – Arcege – 2011-12-18T23:37:31.683

@Dan: A reasons for not allowing password-based authentication internally would be that it provides a mechanism for intruders to guess passwords by brute-force or dictionary attack. Your premises are not only used by trusted employees but by temporary cleaning staff, workmen and other visitors. If one existing machine catches a virus (or a visitor's laptop/tablet/phone has a trojan) that malware is now in an environment with weaker security and has an easier task of breaking into other computers. – RedGrittyBrick – 2011-12-19T09:43:41.677