I just rolled out some minimal-64-lts 21.4.1 zones, and even though /etc/ssh/sshd_config has PasswordAuthentication no, they all allow password authentication

I even svcadm disable ssh, and ptree'd to make sure no ssh pids, and then enabled it

Any suggestions?

"keyboard-interactive/pam" from the log led me to find that it falls under ChallengeResponseAuthentication which has a default of yes

^found the answer for posterity

copec: sucks doesn't it!

It makes sense I suppose. If I were openssh I would have made all the defaults no to make all the distributors of openssh expressly put the options and set them to yes in the default configs, and presumably explain them

also annoying is that when connecting, keys in your local ssh agent that aren't in the remote account's authorized_keys file can count against the # of authentication failures allowed

What's funny is I'm sitting here looking at stuff and I'm pretty sure I ran into something similar like a decade ago and had to figure it out then, but then forgot.