ssh: disable KbdInteractiveAuthentication by only allowing PubkeyAuthentication

modules/ssh-server.nix

@@ -18,10 +18,22 @@
     # Enabling this is required for commands such as sftp and sshfs.
     allowSFTP = false;
 
-    settings = {
+    # Only authentication method should be public key.
-      # Use authorized keys only.
+    #
-      PasswordAuthentication = false;
+    # https://man.archlinux.org/man/core/openssh/sshd_config.5.en#AuthenticationMethods
+    # - We change the default of AuthenticationMethods from `any` to `publickey`.
+    # - Furthermore, we explicitly PubkeyAuthentication to its default value `yes`.
+    #
+    # https://nixos.wiki/wiki/SSH_public_key_authentication#SSH_server_config
+    # Alternatively we could use
+    #   settings.PasswordAuthentication = false;
+    #   settings.KbdInteractiveAuthentication = false;
+    extraConfig = ''
+      AuthenticationMethods publickey
+      PubkeyAuthentication yes
+    '';
 
+    settings = {
       #
       # https://infosec.mozilla.org/guidelines/openssh
       #