[Please keep CC, I'm not in this list]
The default settings for PermitRootLogin appears to be 'yes'.
Increased number of attacks target the ssh port 22 and root logins
directly[1] throught the Internet.
Would it be possible to tighten the initial installation by defaulting
PermitRootLogin to 'no' (or even in *.c) in forthcoming releases and
have administrators relax it if they see fit.
The configuration file could have an example to encourage to use more
strict security settings. Something like:
PermitRootLogin no
# To enable root logins inside trusted network, like local LAN
# uncomment and adjust following. The 'without-password' allows only
# private key authentications, whereas 'yes' would allow password
# authentication.
# Match Address 192.168.1.0/24
# PermitRootLogin without-password
Jari
[1] Admins warned of brute-force SSH attacks
http://www.securityfocus.com/news/11518