It means that when admin disallow user root login via sshd, it's still possible via cockpit where as far as I know is terminal emulator which makes it effectivelly same as login via ssh.
So it would be great if cockpit could somehow share PermitRootLogin configuration with sshd.
The global configuration of sshd could be dumped using '/usr/sbin/sshd -T'. However, sshd_conf support Match blocks and options like PermitRootLogin can set to different values for different Match option. A configuration for particular host, port, user or so could be dumped using '/usr/sbin/sshd -T -C "user=root" -C "host=localhost" ...'
Steff's suggestion is to use a pam module called like pam_check_sshd_config which would use above commands to check if root login is permitted or not.
Likewise, Cockpit could respect other sshd authentication settings as AllowUsers, PasswordAuthentication and others
Hmmm, I wonder if we should have a big 'respect ssh login settings' knob to control this. In many distros it would be on by default. I wonder where such a knob would live. Needs a bit more thought.
Are you interested in helping implement such a PAM module? It could be incubated in our sources. We already have raw C code and PAM module in src/reauthorize.
Workaround: In /etc/pam.d/cockpit have this as the first line:
auth requisite pam_succeed_if.so uid >= 1000
You can of course disallow root logins in /etc/pam.d/cockpit, just as one can disallow it for ssh, gdm, or VTs. It seems wrong to me to somehow "look at" ssh's PAM config, as it's a separate thing and may not even apply to cockpit.
The other option is to always use ssh to log into localhost as well, like the bastion host mode does, i. e. start cockpit-ws with --local-ssh (but that's not something we test or document). It's probably best to conceptually treat cockpit as parallel to gdm, ssh, or VT logins (which it really is).
The knob should be added to /users#/root. It would be nice, if the toggle could be added to every user - you can disable users other than root from logging in to cockpit.

I struggled on the wording, it could be phrased better.
Most helpful comment
Workaround: In
/etc/pam.d/cockpithave this as the first line: