# Disable password authentication by default
PasswordAuthentication no
ChallengeResponseAuthentication no

# Only allow password authentication for internal networks
Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    PasswordAuthentication yes
    ChallengeResponseAuthentication yes