the rationale behind this is that it should be possible to log on to a freshly installed machine in some way. Since the root account is the only one upon completion of the installation to have a valid password, the setting is "yes". If there should be any remote access after a fresh installation at all, then it is considered safest to use ssh.
Please note that the settings include PermitEmptyPasswords no # in both openssh and ssh
which means that the admin is protected against himself in terms of passwords related to remote logins. Anything more would be uncivilized.
Please disable the option on your own if you feel uncomfortable with it. I bet that thousands of users would complain if this detail is changed.
What is confusing is the rc.config setting ROOT_LOGIN_REMOTE. It only covers telnet, which no sane security minded person would use anyway. The comments does not indicate this however, so one might think that no remote login was possible at all when this is set to "no", very ufortunate! It would seem logical to let ROOT_LOGIN_REMOTE affect all kinds of remote shells, if possible, or at least put a comment on it that it only affects telnet. Regards, Simon Lodal