Best way to restrict some SSH users to publickey authentication only (disable password authentication)

There's a nice summary of the difference between ChallengeResponseAuthentication and KbdInteractiveAuthentication at http://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html - summary is that ChallengeResponse often ends up just asking for password (but insists on it being supplied interactively).

KbdInteractiveAuthentication and ChallengeResponseAuthentication are different things. It's just that ChallengeResponseAuthentication can end up just prompting for a password in simple cases.

ChallengeResponseAuthentication is a global setting and can't be specified within a Match clause - see the sshd_config man page for details.

Explicitly specifying AuthenticationMethods publickey for the git user should work fine and is better than than disabling the ones you don't want (as the list could change).

The gssapi options come into play if you're working in a Kerberos environment (such as an Active Directory domain).