I agree entirely. The box I have this on is my piddle-around server. A long time ago I used to administer a medium-sized cluster of Linux boxes and they were all cert auth, and I wouldn't have had it any other way. Mostly, I think it's fun to see what usernames and passwords the scripts and bots and hackers try on my neutered SSH.

I have a port 22 ssh process that denies everything, and a separate ssh process on a different port that accepts logins as normal. So someone could obviously find the hidden one, but it won't be the apparently-functional one that they can hit day and night and never get any results from.