Can you please explain how this is possible?
There are two valid configurations that will permit root
to login using a password:
PermitRootLogin yes
PermitRootLogin without-password
and ChallengeResponseAuthentication yes
AND certain PAM configurations
I seem to remember the Ubuntu default is PermitRootLogin no
but I believe that Linode, being a service that provides remote servers which only have a root
account initially, have tweaked the default in their build to that their users can log right in without using lish
or other remote console options (which can be a little kludgy to use). I actually run a Ubuntu 16 Linode, but my sshd_config was modified right after installation, and that's one setting I always tweak, so I can't tell you how it shipped :)
To quote the sshd_config man page:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be ``yes'', ``prohibit-password'', ``without-password'',
``forced-commands-only'', or ``no''. The default is ``no''.
Note that if ChallengeResponseAuthentication is ``yes'', the root
user may be allowed in with its password even if PermitRootLogin
is set to ``without-password''.
If this option is set to ``prohibit-password'' or
``without-password'', password and keyboard-interactive
authentication are disabled for root.
To quote the sshd_config on my Ubuntu 16 system:
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
You may want to read How To Tune your SSH Daemon Configuration on a Linux VPS which, while it doesn't go into this particular issue, is a nice readable survey of what you can do to your sshd_config.