Combination of SSH key auth, and two-factor authentication

ssh password pam two-factor

Recent versions of openssh include the AuthenticationMethods option:

Debian backported openssh-6.2 a while back, so I expect this to be available in Raspbian as well.

Specifies the authentication methods that must be successfully completed for a user to be granted access.

You can have the main block of your sshd_config with ChallengeResponseAuthentication enabled:

ChallengeResponseAuthentication yes
PasswordAuthentication no
PermitRootLogin no

and then use AuthenticationMethods in your Match blocks (use Group matching instead of User matching to ease scalabity):

Match Group personal
  AuthenticationMethods publickey

Match Group peon
  PasswordAuthentication yes
  AuthenticationMethods publickey,keyboard-interactive

Aditionally, you can use pam_succeed_if(8) to trigger the two-factor-authentication only if a matching group requires it:

 auth required pam_succeed_if.so quiet user ingroup peon

Related

Gluster + ZFS, deadlock during benchmarking: zfs_iput_taskq 100% cpu
Can AWS block access from embargoed countries?
httpd service will not start on boot under CentOS 6
How to get consumer count for a RabbitMQ queue using the HTTP API?
What's wrong with this HTTP POST request?
Processes hanging indefinitely when reading from network connections
TCP under OpenVPN is very slow (tsg attached)
SELinux: cannot confine Firefox process to mozilla_t domain
How to get Run Puppet button working on Foreman?
How to Disable TLSv1.0 and TLSv1.1 in Nginx
start nginx despite missing upstream
Set default TTL in Varnish 4.0?