PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.
The default is “yes”.
If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified. Useful for backups 😉 All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
Thus without-password allows root login only with public key authentication.