Best way to restrict some SSH users to publickey authentication only (disable password authentication)

There's a nice summary of the difference between ChallengeResponseAuthentication and KbdInteractiveAuthentication at http://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html - summary is that ChallengeResponse often ends up just asking for password (but insists on it being supplied interactively).

KbdInteractiveAuthentication and ChallengeResponseAuthentication are different things. It's just that ChallengeResponseAuthentication can end up just prompting for a password in simple cases.

ChallengeResponseAuthentication is a global setting and can't be specified within a Match clause - see the sshd_config man page for details.

Explicitly specifying AuthenticationMethods publickey for the git user should work fine and is better than than disabling the ones you don't want (as the list could change).

The gssapi options come into play if you're working in a Kerberos environment (such as an Active Directory domain).

It's not entirely clear to me if there is any difference, but at the very least, ChallengeResponseAuthentication seems to require KbdInteractiveAuthentication; it is automatically turned on if Challenge-Response is enabled.

I get the feeling from reading it that they came up with Challenge-Response during the SSH1 era. It was standardized as keyboard-interactive with SSH2, but they didn't immediately change the server config file, to enable old configs to continue to work.

I found the following in the openssh-portable source (as of 20181214).

sshd.c starting at line 1685:

 /* challenge-response is implemented via keyboard interactive */
 if (options.challenge_response_authentication)
    options.kbd_interactive_authentication = 1;

sshconnect2.c starting at line 375:

 if (options.challenge_response_authentication)
    options.kbd_interactive_authentication = 1;