I'm currently trying to enforce regular users on a Linux SSH server to use 2FA (password + TOTP) while allowing power users to only use SSH keys for authentication. SSH keys are sufficiently secure for my purposes, but many of the users will initially be unable to cope with the use of SSH keys. For them, it should be ok to use a password, but in combination with a TOTP like google-authenticator.
I found good tutorials for setting up 2FA like https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04 and similar questions like Use Public Key or Password and PAM verification code but no answer with regard to how to configure sshd to allow public key as single factor and (password + TOTP) as 2FA at the same time. Any hints are welcome. Thank you.