To disable direct ssh logins for a user, especially root, here’s a basic run-down.
How do I disable SSH login for the root user? - Media Temple
Also, since this action can disable the root user’s ssh access, you’ll need to use sudo to become root. This post cleared up some of my own confusion about the differences between alternative ways to become root via sudo. It expecially cleared up for me which password is expected for each type of invocation for sudo or su and what the new shell environment will contain.
su VS sudo su VS sudo -u -i - blog by @johnkpaul
To better understand which users on the box are allowed to connect via ssh, try linux - List of all users that can connect via SSH - Stack Overflow. This question was answered, sort of, almost, but it really wasn’t answered sufficiently.
More/better insights here (at least for debian): linux - Which users are allowed to log in via SSH by default? - Unix & Linux Stack Exchange. I think the centos configuration is much the same.
The /etc/shadow file has been confusing to me in the past. I understand it better now, after reading Understanding /etc/shadow file.
Some more tidbits with a useful variation on explanation of their purpose: