Given the increase in scripted attacks to guess ssh passwords, I decided to disable passwords altogether, and move to public key authentication.
I edited /etc/sshd_config as follows:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
That worked fine until one day, I tried logging into a Tiger machine from an account which lacked the required public key, and discovered I could still get in with just a password. It seems 10.4 has added another flag to disable:
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM no
What is curious about UsePAM is that in the comment it says that no is the default, so it should not have been necessary to uncomment it. Yet, in my own experience, I had to explicitly disable it to prevent password authentication. Note: don't forget to restart your Remote Login after saving the changes.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20050815135941513