The PermitRootLogin option can be given four values. The default is "yes"; the obvious alternative "no" was already mentioned. The other values are "without-password" and "forced-commands-only".
Please read "man sshd_config" for more information.
The "without-password" does NOT mean root can login with no authentication at all: it means that root can use any authentication mechanism other than a password to log in. Usually this means SSH keys, but in some environments this could also mean smart card, SecurID or some other authentication system.
The "forced-commands-only" is a very strict setting: it accepts SSH keys only, *and* each authorized key must have a fixed command defined for it in the root user's ~/.ssh/authorized_keys file. When a root login is made using a key, sshd does not even check what the client wanted: it runs the command specified for that key, and nothing else. When that command completes, the connection is closed.
The "forced-commands-only" option might be useful if someone steals the keys you're using for automated actions with root access. In the normal situation, the thief can do *anything* to your systems; but if you're using forced commands, the damage is limited. For example, if someone steals the key used to make backups, you know the thief can steal your data (by making an "extra backup") but he/she cannot corrupt the data in your system.
MK
