22:00:41 <copec> I just rolled out some minimal-64-lts  21.4.1 zones, and even though /etc/ssh/sshd_config has PasswordAuthentication no, they all allow password authentication
22:01:17 <copec> I even svcadm disable ssh, and ptree'd to make sure no ssh pids, and then enabled it
22:01:25 <copec> Any suggestions?
22:13:07 <copec> "keyboard-interactive/pam" from the log led me to find that it falls under ChallengeResponseAuthentication which has a default of yes
22:13:22 <copec> ^found the answer for posterity 
22:24:01 <jlevon> copec: sucks doesn't it!
22:38:36 <copec> It makes sense I suppose. If I were openssh I would have made all the defaults no to make all the distributors of openssh expressly put the options and set them to yes in the default configs, and presumably explain them
22:38:58 <jbk> also annoying is that when connecting, keys in your local ssh agent that aren't in the remote account's authorized_keys file can count against the # of authentication failures allowed
22:43:27 <copec> What's funny is I'm sitting here looking at stuff and I'm pretty sure I ran into something similar like a decade ago and had to figure it out then, but then forgot.