Which users are allowed to log in via SSH by default?

Paradeepchhetri isn't exactly correct.

Debian's unmodified sshd_config has the following:

PubkeyAuthentication yes
PermitEmptyPasswords no
UsePAM yes

Thus, login via ssh would only work for users that have a populated password field in /etc/shadow or an ssh key in ~/.ssh/authorized_keys. Note that the default value for PubkeyAuthentication is yes and for PermitEmptyPasswords is no, so even if you remove them the behavior will be the same.

In the question example, www-data by default won't be allowed to log in since Debian's installer neither assigns a password nor creates a key for www-data.

pam_access, AllowUsers and AllowGroups in sshd_config can be used for finer control if that's needed. In Debian it's strongly encouraged to UsePAM.

By default, login is allowed for all users on Debian.

You can change it by allowing certain users that can log into by editing /etc/ssh/sshd_config file.

As mentioned in the man page of sshd_config.

AllowUsers

This keyword can be followed by a list of user name patterns, separated by
spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not
recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroup, and finally AllowGroups.

By default, SSH server isn't even installed. You would have to install the openssh-server package before anybody could SSH in.

After that, any user has to pass two checks:

• SSH authentication
• PAM account checks

SSH authentication means that either the user must have a valid password in /etc/shadow or they have a valid SSH public key with the right permissions in the target user's ~/.ssh/authorized_keys.

Valid passwords are described further in the crypt(3) man page, but basically if the user's 2nd field in /etc/shadow is anything starting with $NUMBER$, it's probably valid, and if it's * or !, it's invalid.

PAM account checks basically means that the account is not expired. You can check that using chage -l USERNAME.

So to answer your questions, to my knowledge:

1. Only root and the account you create during the installation wizard can log in on a new system
2. No, because www-data has a hashed password of * and there is no ~www-data/.ssh/authorized_keys file
3. There's no single list, because there are multiple requirements, but to get an idea, you could try running grep -v '^[^:]*:[!*]:' /etc/shadow