If you insist on using passwords, make sure you at least install something like fail2ban or denyhosts to block the compromised machines which are hammering your server trying to guess passwords. Clients can see which authentication methods are allowed so they know which machines to attack (i.e., yours, if you allow passwords).
I use a gpg smartcard to log into SSH. That way I don't need a password (technically, the smartcards reader wants the PIN, but the computer sees no PIN) and the key can't be stolen easily.
One can simply start an openssh-server on localhost with some unused port for testing. There is no need for the internet, other computers or let alone other computers from somebody else over the internet for that.
Yeah I'm sure they are running linux. Actually just have them build openssh from source first. Much easier then signing up for GitHub and following their guide to do a test push for a litmus test.
If you insist on using passwords, make sure you at least install something like fail2ban or denyhosts to block the compromised machines which are hammering your server trying to guess passwords. Clients can see which authentication methods are allowed so they know which machines to attack (i.e., yours, if you allow passwords).