The solution is very simple. In my /etc/ssh/sshd_config I have the typical:
RSAAuthentication no PubkeyAuthentication yes
And to enable password authentication for a single user I added the following to the end of the file:
# Allow the 'deployment' user to login # using their password Match User deployment PasswordAuthentication no
It's documented in detail in the Match section of the man page.