De link
Now on RHEL / CentOS 7, and any system with a recent version of OpenSSH, you can use:
AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"
Veja também: link
It is also important to note that the AuthenticationMethods feature applies only to the SSH 2 protocol, and that each authentication method listed must also be explicitly enabled in the sshd_config file.
E uma ótima explicação em detalhes aqui:
Match User johndoe
AuthenticationMethods publickey,keyboard-interactive
Read the commas as logical AND. On login, johndoe's key pair will be checked first and if it's a match, you'll see this:
Authenticated with partial success.
Then, he will be asked for his password. So without realising, you have just set up MFA. Your key pair being what you have, the account password being what you know. This is possibly the simplest way of setting up MFA with SSH, and already better than single-factor authentication.