[cube00]

Just be aware if you do this and your cloud provider only offers direct terminal (eg. via VNC) as a fail safe you'll be unable to use your certificate in case of some problem with your private key or a firewall issue blocking SSH. A reasonable middle ground might be use a certificate as your daily driver and keep a 100+ long random character password as a "break glass" backup.

[m4lvin]

I think most consoles that cloud providers offer are attached via virtual serial consoles (ttys) and not via SSH. So you can disable passwords for SSH but still use them via the cloud provider remote console.

At least for KVM based virtual servers that I have this is the case.

[phaer]

"direct terminal" access, even via VNC, ipmi, whatnot would still allow one to login locally as root, "PasswordAuthentication No" only affects sshd, not pam.

[willis936]

I caution the 100+ character password for this use case. Some VM / VNC combos don't have clipboard integration. Diceware is sufficient and imo the right choice for any password that might have to be entered by hand.