I totally agree with your points about adding the option to rlogind, it would
be silly.  IMHO, I think the ptys should interact with telnetd, rshd and
rlogind like so:

1) If the pty entry in /etc/ttys is marked as insecure, then telnetd, rshd and
   rlogind show all disallow root access for that specific pty.
2) If the pty entry in /etc/ttys is maked as secure, then telnetd should allow
   root logins for that pty.
	2a) In addition, if a proper .rhosts file exists for root, then it
	    should be used by rlogind and rshd.

I realize that for BSD 4.3, rshd doesn't usually check the tty for security (
I'm referring to Figure 9.1 of Stevens' Network Programming Book ) but it would
seem that if you wouldn't allow telnet's via root for that pty they why allow
something like an 'rsh foo "csh -i"' ( BTW, Thanks to Greg Earle for this
interim fix.  I think this might even work for Solaris 2.X, but I haven't tried
yet. :)

About the consistency with logging between rshd and rlogind, after looking at
the code it seems that since they both basically share the same authentication
scheme, so maybe just making a shared authentication function set would help,
you could also make some of the logging features the same within this function
set.  

Sorry for the verbosity, inanity and rambling in this message, but it's late,
I'm tired and I've been staring at this code for too long.

Thanks for reading through this,
--Brian