OK, so I have:
AllowUsers [my login name] <---my login, not root
I was also curious why the daemon is logging the way it is with these settings--I'm assuming it is showing the user name in the auth failure because the user name is being passed as a parameter, yes? So then the name isn't in the AllowUsers list and the daemon reports the "not listed in AllowUsers" entry...
Aside from some sort of url/parameter list overload or exploit to the daemon, with these settings, the cracker would need to know your private and public keys AND AllowUsers name to gain entry, correct? And given the two key sizes, aside from an act of the almighties, the chances of brute force are beyond the realm of possibility.