The SSH daemon configuration (sshd_config) check, does not work if there are „Match“ directives in the sshd_config, like in this example…
Match Group 123_sftp_only
In this cases the agent to outputs data like this…
Therefore the check is always “Critical”, no matter if “Allow password authentication” is configured Yes or No.
A potential solution would be to base the agent on the output of “/sbin/sshd -T -C user=root” (user to be configurable), instead of relying on the content of sshd_config.
The sshd output is more consistent in content and ignores upper/lowercase.