Такой вопрос:
Читаю ман:
PermitRootLogin
  If this option is set to ``forced-commands-only'' root login with
  public key authentication will be allowed, but only if the
  сommand option has been specified (which may be useful for taking
  remote backups even if root login is normally not allowed).  All
  other authentication methods are disabled for root.

Ставлю в sshd:
PermitRootLogin forced-commands-only

на клиенте от рута:
ssh-keygen -t rsa 
копируем строчку из id_rsa.pub в серверный authorized_keys

Также на сервере:
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys

все..
на клиенте ssh root@192.168.0.1 ls

в логах:
Connection from 192.168.0.2 port 32775
sshd[14477]: debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 Debian-8.sarge.4
sshd[14477]: debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH_3.*
sshd[14477]: debug1: Enabling compatibility mode for protocol 2.0
sshd[14477]: debug1: Local version string SSH-2.0-OpenSSH_4.2
sshd[14477]: Failed none for root from 192.168.0.2 port 32775 ssh2
sshd[14477]: debug1: temporarily_use_uid: 0/0 (e=0/0)
sshd[14477]: debug1: trying public key file /root/.ssh/authorized_keys
sshd[14477]: debug1: matching key found: file /root/.ssh/authorized_keys, line 2
sshd[14477]: Found matching RSA key: 7d:ce:3c:be:cd:7b:f7:23:c5:ab:d9:65:41:24:1b:8f
sshd[14477]: debug1: restore_uid: 0/0
sshd[14477]: debug1: temporarily_use_uid: 0/0 (e=0/0)
sshd[14477]: debug1: trying public key file /root/.ssh/authorized_keys
sshd[14477]: debug1: matching key found: file /root/.ssh/authorized_keys, line 2
sshd[14477]: Found matching RSA key: 7d:ce:3c:be:cd:7b:f7:23:c5:ab:d9:65:41:24:1b:8f
sshd[14477]: debug1: restore_uid: 0/0
sshd[14477]: debug1: ssh_rsa_verify: signature correct
sshd[14477]: ROOT LOGIN REFUSED FROM 192.168.0.2
sshd[14477]: Failed publickey for root from 192.168.0.2 port 32775 ssh2