By having the "AllowUsers root" line in the sshd configuration file, you're telling sshd that *only root* is allowed to login; the AllowUsers directive instructs sshd to only allow the explicitly specified users, and to deny access to everyone else.
Because the "PermitRootLogin yes" line is commented-out, root, also, is disallowed from logging in.
This means neither the 'gentoo', 'root', nor any other users may login via ssh until the /etc/ssh/sshd_config file is modified.
If the user wishes to use ssh to continue initial configuration of a system, he has two options in editing the sshd_config file:
1) He can remove the "AllowUsers root" line, so that some other user may connect.
2) He can uncomment the "PermitRootLogin yes" line, so that root may log in. (And this is such a bad outcome, people in the Gentoo support IRC channels often refuse to assist users whose ident comes back as 'root'.
If I'm correctly familiar with the history of this, the addition of the 'gentoo' user was as a security improvement measure. Older versions of the live dvd gave the operator a root login to KDE.
If I read the KDM login screen correctly, the 'gentoo' user only has a four-character password, which is disturbingly short. (I don't know how random it is, or whether it uses uncommon characters)
If the reason for the 'AllowUsers root' is to prevent crack attempts against the 'gentoo' user's four-character password, then removing that line creates a security vulnerability for gentoo; the "gentoo" user's password becomes vulnerable to a quick crack.
A few further changes might be:
1) Allow the user to select a username immediately after selecting a keymap.
2) Allow the user to select a password after selecting a keymap.
3) Use a longer randomized password
this seems a bug to me. We should not be setting "AllowUsers root" in the DVD.
I'll further note that I tested, and was *not* able to log in as root over ssh with the default configuration, even after I set a password for root.
The current configuration of sshd on the DVD does not seem to allow any authenticated connection. It may possible there's a way to do it via PAM, but I don't know how that'd work; the inaccessibility of the SSH daemon feels like an interaction between "AllowUsers root" and the implicit "PermitRootLogin no".
Could this be added to a checklist somewhere, and have the status updated? I'm working on following up with and clearing out my old bug reports.
this will be fixed in 13.0 release. stay tune.