Possible to use both private key and password authentication for ssh login?

With recent Fedora and RHEL 6 releases, you can use RequiredAuthentications2 pubkey,password to require both pubkey and password authentication. Usually this is done to require pubkey and 2-factor authentication token, not the user's password.

Update: Now on RHEL / CentOS 7, and any system with a recent version of OpenSSH, you can use:

AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

It's also possible to use the Match directive to exclude IPs or Users.

You can have both public-key and password authentication on the same server. If public-key authentication fails, it will go to password authentication.

As to requiring both, that's seems silly and counterproductive, and checking man sshd_config there isn't an option to do this.

Your ssh private key should have a secure passphrase. So if an attacker obtains your private key, they still can't do anything without first obtaining your passphrase. If they've compromised that passphrase (most likely with a keylogger; or from brute forcing an extremely weak passphrase) they can trivially also grab/brute force any memorized password.

If you really want, you could possibly setup something with say ForceCommand (e.g., only allow public-key authentication and then direct user to a shell that prompts for a password). I don't recommend this.

A better alternative if you want to limit exposure, is to have a firewall setup to limit IPs that can reach the ssh port; possibly with an additional VPN running on a server somewhere if you may need to tunnel from another computer at some point. You could also use something like knockd to open a hole in a firewall after a particular port-knocking pattern, though recognize that anyone eavesdropping on traffic could replay the knocking pattern to open up a port.

(cross posting SO answer with updated solution to these days)

If you read through the manual page for sshd_config(5), there is option AuthenticationMethods, which takes the list of methods you need to pass before you are granted access. Your required setup is:

AuthenticationMethods publickey,password

This method should work all the current Linux systems with recent openssh (openssh-6, openssh-7).

Older systems

The only exception I know about is RHEL 6 (openssh-5.3), which requires setting different option with same values (as described in the other answer):

RequiredAuthentications2 publickey,password