diff --git a/skel/etc/ssh/sshd_config.d/password_authentication.conf b/skel/etc/ssh/sshd_config.d/password_authentication.conf
new file mode 100644
index 0000000..8c2c3ae
--- /dev/null
+++ b/skel/etc/ssh/sshd_config.d/password_authentication.conf
@@ -0,0 +1,8 @@
+# Disable password authentication by default
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+
+# Only allow password authentication for internal networks
+Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    PasswordAuthentication yes
+    ChallengeResponseAuthentication yes
\ No newline at end of file