Change default prohibit root sshd password auth

Change-Id: Ib195041cd84bafa0cc7ca1d2ca42041618ce181d

defaults/main.yml

@@ -538,11 +538,11 @@ security_ssh_client_alive_interval: 900           # V-38608
 # Timeout ssh sessions as soon as ClientAliveInterval is reached once
 security_ssh_client_alive_count_max: 0            # V-38610
 #
-# The ssh daemon must not permit root logins. The default value of 'yes' is a
-# deviation from the STIG requirements due to how openstack-ansible operates,
-# especially within OpenStack CI gate jobs. See documentation for V-38613 for
-# more details.
-security_ssh_permit_root_login: 'yes'             # V-38613
+# The ssh daemon must not permit root logins. The default value of
+# 'without-password' is a deviation from the STIG requirements due to how
+# OpenStack-Ansible operates, especially within OpenStack CI gate jobs. See
+# documentation for V-38613 for more details.
+security_ssh_permit_root_login: 'without-password' # V-38613
 
 ## Kernel
 # Set these booleans to 'yes' to disable the kernel module (following the

doc/metadata/rhel6/V-38613.rst

@@ -5,9 +5,9 @@ tag: sshd
 ---
 
 Although the STIG recommends disabling root logins via ssh, the default in
-this role is to allow it. The openstack-ansible deployment uses the root
-user by default at this time, but that may change later and allow for this
-configuration to be set.
+this role is to allow it with a key authentication. The OpenStack-Ansible
+deployment uses the root user by default at this time, but that may change
+later and allow for this configuration to be set.
 
 To disallow root logins via ssh, simply adjust this configuration variable:
 

releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml

@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    ``PermitRootLogin`` in the ssh configuration has changed from
+    ``yes`` to ``without-password``.  This will only allow ssh to be used
+    to authenticate root via a key.