- UsePAM yes
- ChallengeResponseAuthentication yes
- PasswordAuthentication no
I discovered this because I noticed the difference of the log entry written to /var/log/secure.log when someone tries the brute force attack, and when I typed in the password incorrectly. If I tried the wrong password, the log looks like this:
Apr 6 20:00:51 kawazu sshd: Failed keyboard-interactive/pam for invalid user oracle from 22.214.171.124 port 54021 ssh2
But when a bot does it, the log looks like this:
Apr 6 18:14:11 kawazu sshd: Failed password for invalid user oracle from 126.96.36.199 port 54865 ssh2
This is an indication that a scriptable mechanism, like Paramiko, is used to conduct a brute-force attack.
That said, after configuring sshd_config the way I mentioned above, if you need to allow Paramiko to connect to your server, you will have to use publickey authentication.