Our server cluster has remote root access enabled for rescue purposes, and we generally set PermitRootLogin prohibit-password in /etc/ssh/sshd_config because LDAP users can still login using password.
Recently we added an extra server with very strict access control, and we have PasswordAuthentication set to no so only specific users with SSH keys can login. However, a default setting of PermitRootLogin yes remained for some time unnoticed. (It wasn't a real issue since we also have the password of the root user deleted so no one could log in unless directly at the KVM console.)
My question is, with PasswordAuthentication no set, does PermitRootLogin yes behave identically to prohibit-password?
prohibit-passwordmeans authenticate with any allowed mechanism that is not password and not keyboardinteractive. See sshd_config PermitRootLoginPasswordAuthentication nojust means authenticate with any allowed mechanism that is not password, obviously. See sshd_config PasswordAuthenticationTherefore, the answer is no.
Also,
prohibit-passwordis specific to the root account,PasswordAuthentication nois a global setting that affects all the accounts.Note however, if you don't use keyboardinteractive, then the answer is yes (only considering the root account)