Sim, você pode exigir tanto o kerberos quanto a autenticação de chave pública com a opção AuthenticationMethods
sshd.
AuthenticationMethods
Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. [...] This option will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration.
Então, você precisa escrever no seu sshd_config algo assim:
Protocol 2
GSSAPIAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods gssapi-with-mic, publickey