remote login with the root account is usually not allowed, but
allowing anyone to ssh -l root into any RedHat system from RH7 throught the
lates rawhide i am aware of (openssh-server-2.3.0p1-9)
this should be "no" on default or the corresponding pam configuration
should use pam_securetty.so so there is no un unexpected feature that
allows remote root login :( IMHO
Seconded. Remote root logins should be disabled by default.
Remote root login is disabled by default as a security measure specifically
because of the hazards of password-sniffing. Over a cryptographically-protected
channel, it's not necessary.
Disabling root logins also provides kinda audit trail. You see in the logs _who_
logged in (via su) as root. With direct root logins you don't.
This is purely a configuration issue, and it's impossible to get it right for
everyone. We're going to leave this set to the same default that the portable
OpenSSH team includes in theirs.
I would personally prefer a changed default (to "PermitRootLogin no").