Ssh – Use different authentication methods for OpenSSH server depending on client IP

Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).

You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).

For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this

 auth            required        pam_google_authenticator.so

in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator

Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.

Probably not.

The man page for pam_group says:

Only the auth module type is provided.

And since SSH doesn't use PAM to authenticate when it uses public keys, the auth modules are not used.

As to why pam_group only works as an auth module and not as a session module, I can't say.