Permit root to login via ssh only with key-based authentication

You can do this using the PermitRootLogin directive. From the sshd_config manpage:

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”.

If this option is set to “without-password”, password authentication is disabled for root.

The following will accomplish what you want:

PasswordAuthentication yes
PermitRootLogin without-password

You can use Match blocks to configure some options per user or group authenticating or per IP address or host name of the origin of the connection.

PasswordAuthentication yes
PermitRootLogin yes

Match User root
PasswordAuthentication no

I have an even more restrictive approach to grant root privileges on my server, which might be interesting for the paranoid ones like me. Be careful what you do and in which order, otherwise you might end up with a system you can't get root access on.

• Create a specific group sugroup, whos members will be allowed to become root and only allow key authentication for this group by putting the following lines at the end of sshd_confid:

Match Group sugroup

PasswordAuthentication no

• Place the command auth required pam_wheel.so group=sugroup in /etc/pam.d/su. It might be already there and you just have to uncomment it. This denies root access to all users not member of sugroup
• Choose a strong root password :)
• Check whether your new authentication method works, and only if:
• Deny direct root login via ssh by using PermitRootLogin no in /etc/ssh/sshd_config.

Using this configuration it is necessary to use a key authentication and a password to become root. I configured my server like this, since I prefer having no direct root access via ssh, regardless of the authentication method.