Hi Bob,
My preferred setup is to restrict access to /bin/su (using chgrp and chmod) so that only administrators can use it. That way a cracker needs to discover *two* passwords to become superuser. So there is some benefit in banning root logins via ssh.
Bob
Since we are talking paranoia... :-) I keep it this way: The more often I have to type a password, the more likely it is that it gets sniffed. I use ssh all over the place for just about everything, and sniffing the ordinary way wouldn't work. But what about X-clients that sniff the X-server (X -nolisten tcp) or similar? Therefore I never type a password except for the screensaver, I usually don't log on as root if I don't have to. Using a password to become root remotely though is not an option. Roman.