Linux – really disable root ssh login

[Is there a way to] disable SSH login via password on a per-user basis?

No. Generally.

what is the (technical/design) limitation in the way SSH works that prevents it?

There is noting in the SSH protocol design or specification that prevents this.

It is an implementation-specific restriction in the SSH daemon (or service)

The usual sshd program on Linux (etc) platforms was written to read a single configuration file that applies to all users of that instance of the program.

I believe it would be possible to write an SSH daemon that looks for a supplementary configuration file in a user's home directory (for example). However this has not been done (insufficient demand probably)

Is there anything approximately equivalent?

What you can do is set the user's login password to some extremely long and completely random string.

It might be possible to use the shell to set a password that contains characters that cannot be entered using SSH clients of the sort believed to be used by attackers. Or at least to set a password that is much longer than any they are likely to attempt using the usual dictionary-based approaches.

Pretty easy. Two reasons:

1. You can limit what you can sudo with no password with your user. You just enter the proper configuration in sudoers files:

   amdhske ALL=NOPASSWD: /usr/bin/somecommand
   

If you login with root, then you have all the permissions to do anything.

2. Every script kiddie on earth knows that your superuser account name is root. So what username do you think they are going to try to brute-force, etc to your system? Right, root.

That it is why is a good security practice to disable root ssh login.