Wrong comment in /etc/ssh/sshd_config
The following code fragment in sshd_config is misleading:
# To disable tunneled clear text passwords, change PasswordAuthentication to no. PasswordAuthentication yes
Indeed, Setting PasswordAuthentication to "no" will NOT disable clear-text
passwords if ChallengeResponseAuthentication keeps its default value "yes" .
One also needs to set ChallengeResponseAuthentication to "no".
The above code fragment should be replaced by
# To disable tunneled clear text passwords, change PasswordAuthentication and ChallengeResponseAuthentication to no. PasswordAuthentication yes ChallengeResponseAuthentication yes