Openssh by itself is fairly secure even with passwords.  I was hacked a little over a decade ago under Openssh with using passwords only but I have not see any easy exploits of Openssh in sometime.  Passwords can be brute forced though and this makes them a security breach unless you have a long random password with a mix of uppercase, lowercase, numbers and symbols.  I like the certificate keys because if you do not have the key you can not login to the box from the outside world.  I run connectbot with a generated certificate key on my android phone to log into my systems.   Locking down port forwarding with Knockd adds another level of security because if a port is open it gives a hacker a reason to try to break into your system.  If they do not know the port is open in the first place they have no reason to try.   Also they will not have an easy way of knowing which type of system is behind the port forward.  Even with a port forwarding a hacker maybe able to fingerprint your Operating System by the way the port and application on the port like sshd responds.  From their they can look for known exploits in the Operating System and try to break in.  It is better if they do not know what OS or how many computer systems are behind the router.

-Dukejer