Now on RHEL / CentOS 7,and any system with a recent version of
OpenSSH,you can use:

AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

另见：https://lwn.net/Articles/544640/

It is also important to note that the AuthenticationMethods feature applies only to the SSH 2 protocol,and that each authentication method listed must also be explicitly enabled in the sshd_config file.

这里有一个很好的解释：

https://sysconfig.org.uk/two-factor-authentication-with-ssh.html

Match User johndoe
AuthenticationMethods publickey,keyboard-interactive

Read the commas as logical AND. On login,johndoe’s key pair will be checked first and if it’s a match,you’ll see this:

Authenticated with partial success.

Then,he will be asked for his password. So without realising,you have just set up MFA. Your key pair being what you have,the account password being what you know. This is possibly the simplest way of setting up MFA with SSH,and already better than single-factor authentication.