Comment 10 for bug 296841

1. I should have said "an enabled empty root password makes possible passwordless root login via ssh and the console". In other words, /etc/securetty and /etc/pam.d/common-auth need to be (mis)configured.

2. ssh public key logins are not disabled by the use of '!'. Eg:
/etc/shadow
root:!:14196:0:99999:7:::

/var/log/auth.log
Dec 15 18:17:59 sec-intrepid-amd64 sshd[5654]: Accepted publickey for root from 192.168.122.1 port 43391 ssh2
Dec 15 18:17:59 sec-intrepid-amd64 sshd[5654]: pam_unix(sshd:session): session opened for user root by (uid=0)

sshd_config has:
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes