SSHD keeps asking for user password even though it was configured with publickey,keyboard-interactive

I'm trying to configure sshd on a VPS instance, and would like to have an authentication witch is publickey,keyboard-interactive (public key AND keyboard-interactive).

The problem is that the server keeps asking for serveruser password on login after the public key was sent and accepted. It should only ask for the 2FA code. I am able to login using publickey, serveruser password and 2FA code.

I have two other similar setups that work great but I remember having trouble setting those up, like using black magic in bizarre configuration files.

I spent countless hours trying to configure sshd this way on other hosts and now I don't seem to achieve it.

I also tried to compare client and server logs on a working setup and this one but the logs are the same! (Except with IPs, ports and fingerprints)

SSH client log : https://pastebin.com/P1xsKTwm

Server's /etc/ssh/sshd_config : https://pastebin.com/qSH7GAmR

Server's /etc/pam.d/sshd : https://pastebin.com/YBKY91Rk

(sshd was restarted using sudo systemctl restart sshd.service)

EDIT : keyboard-interactive is not only for 2FA

Read the comments in mforsetti's answer below, I did not understood that keyboard-interactive was not for 2FA only.

The trick was to edit /etc/pam.d/sshd file to disable password authentication (explained in mforsetti's post and comments below)


The problem is that the server keeps asking for serveruser password on login after the public key was sent and accepted.

well, you specifically asked for it.

AuthenticationMethods publickey,keyboard-interactive

Quoting sshd_config manual,

AuthenticationMethods

Specifies the authentication methods that must be successfully completed for a user to be granted access. ... by the single string any to indicate the default behaviour of accepting any single authentication method ...

... For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. ...

So, adding AuthenticationMethods publickey,keyboard-interactive to your sshd_config, means you expect to have publickey authentication completed first, then keyboard-interactive authentication completed next.

If you expect to only authenticate with publickey, probably change

AuthenticationMethods publickey,keyboard-interactive

to

AuthenticationMethods publickey

or, if you enable any other authentication methods and expect any single successful authentication method as an OK, you may use

AuthenticationMethods any

I want to authenticate both with public key and 2FA

You may want to disable common-auth from PAM configs, as in most Linux/Unix distributions, common-auth includes pam-unix.so or pam-unix2.so which requires account password.