Given the increase in scripted attacks to guess ssh passwords, I decided to disable passwords altogether, and move to public key authentication.
I edited /etc/sshd_config as follows:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
That worked fine until one day, I tried logging into a Tiger machine from an account which lacked the required public key, and discovered I could still get in with just a password. It seems 10.4 has added another flag to disable:
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM no
What is curious about UsePAM is that in the comment it says that no is the default, so it should not have been necessary to uncomment it. Yet, in my own experience, I had to explicitly disable it to prevent password authentication. Note: don't forget to restart your Remote Login after saving the changes.
[robg adds: This earlier hint (and some great associated comments) covered disabling password-based ssh access, also in light of the number of brute force attacks being seen. Interestingly, I hadn't yet redone this hint for 10.4, so I checked the log files today. My machine is still getting pounded by scripted attacks; literally hundreds per hour ... looks like it's time to re-enable the protections from these hints and comments!]

