How do I disable remote root login via ssh?

I'm going to take a guess on this one, but I'm pretty confident.

I bet there's a PermitRootLogin yes line already in your file. SSH will only use the first line it finds, and will ignore a duplicate further down. So if you just added PermitRootLogin no to the end of the file without removing the line above, there will be no effect.

One of the peculiarities of ssh is that PAM-based authentication can't be fully controlled by it directly. You should check the PAM stack /etc/pam.d/sshd; I would add pam_access to the auth section (see pam_access(8) and access.conf(5) manual pages).

That said, PermitRootLogin No should work regardless. (PermitRootLogin without-password is the screw case.)