On most machines I've used thus far, I've always gone into /etc/ssh/sshd_config to set "PasswordAuthentication no". In gentoo, to my surprise, this didn't turn out to be enough, leading my server to be open with a weak password for the better part of a year.

I don't appear to be the only one who's confused, the gentoo wiki[1] only lists the same PasswordAuthentication key. Asking around on the #gentoo IRC, I heard a handful of different solutions, including setting "AuthenticationMethod publickey" (not listed in the config template), setting "KbdInteractiveAuthentication no", and removing 9999999gentoo-pam.conf. Messing around myself, setting USE=-pam without changing any other setting also works. Googling around for blog posts and wikis also leads to wildly different answers.

Anecdotally, I checked one of my debian machines, and it has "KbdInteractiveAuthentication no" set by default. On my one slackware machine, "UsePAM no" (the upstream default) is set instead. In both cases, simply changing the "PasswordAuthentication" key yields the behavior I expect.

It's not clear to me which of these settings is the "sane" or "recommended" one, but what strikes me about this is that the behavior and interaction of the different settings seems to be confusing to everyone, to the point it's quite easy to misconfigure the machine, even when the intent ("PasswordAuthentication no") seems clear.

I'd like to lower this friction and confusion. I believe one should be able to go into sshd_config, and make out how to disable password authentication with the comments in that file alone. To that end, I believe the comment near PasswordAuthentication serves its purpose, and I think using debian's default, or a different method, to make sure that the key is actually honored would be favorable for the security of gentoo machines.

[1]: https://wiki.gentoo.org/wiki/SSH#Server