I think this is basically a dup of bug 109846. A missing ChallengeResponseAuthentication defaults to "yes", which causes a bypass of the PasswordAuthentication setting. -- Kees Cook @debian.org