I rebuilt a box this morning, and when I installed openssh-server, I found a different option set as default in the config file–one that I believe is less secure.
Where previously, the default Authentications section looked like this:
# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes
The default now looks like this:
# Authentication: LoginGraceTime 120 PermitRootLogin without-password StrictModes yes
And I have, of course, set the switch to “no”.
I don’t personally allow root logins of any kind on any of my personal servers, and I do like that the default has been made more secure. It’s different, however, and my eyes might have scanned right over this switch if I didn’t have a list of things I change for security reasons each time I build a box. Caveat emptor.