By default, root can log into the shell. It is a very common practice to log into the shell directly as root, but is a very bad idea to do so for the following reasons:
- If sshd is trojaned to record usernames and passwords, your root password has now been compromised (though it could be trivially compromised in other ways)
- If sshd is logged into from a hacked machine that is recording credentials, your root password has now been compromised
The first example is very common. Imagine this scenario: a remote attacker exploits a vulnerability in a user's PHP script (e.g., a popular CMS, or a WordPress plugin). Then they upload a kernel or other exploit to the server and execute it, which provides them with root access.
Now root access has been obtained, but the attacker still does not know the server's root password, or the passwords of any other accounts for that matter. There are a number of ways in which that information could be obtained, and a popular method is to replace the existing ssh daemon with one that records the username and password information of users as they log in. This information is especially useful to an attacker when passwords are reused, which will be discussed in further detail later.
Preventing the root user from logging in can be done by setting this line in /etc/ssh/sshd_config:
then restarting the sshd service.
NOTE: Before doing this, be sure that you have an account that can obtain root access (such as via su or sudo).