openssh defaults to "prohibit-password" since openssh-server v1:7.1p1-1,
breaking our existing change regarding without-password.
While at it also improve the script to not readd the PermitRootLogin
and UseDNS configs with every single run, instead check for our
own modifications and skip them in further runs.