The SSH key check is done by sshd itself before calling PAM. And while the SSHv2 protocol itself allows multiple authentication methods, most SSH daemons do not support requiring more then one.
However, if you have OpenSSH 6.2 or newer, you can use the new AuthenticationMethods option to require publickeyand one of password|keyboard-interactive to succeed:
The SSH key check is done by
sshditself before calling PAM. And while the SSHv2 protocol itself allows multiple authentication methods, most SSH daemons do not support requiring more then one.However, if you have OpenSSH 6.2 or newer, you can use the new
AuthenticationMethodsoption to requirepublickeyand one ofpassword|keyboard-interactiveto succeed: