Reverting root's login shell to /bin/csh triggered requests to add
back toor.  I'd intended to leave that as-is till we fixed the security
scripts to not warn about toor.

The obvious technical question is whether to filter out just
    ^toor:*:
or try and filter out all login accounts with disabled passwd fields.

Comments?  Do we Really Need a /bin/sh superuser login until this gets
resolved, even with the warnings from /etc/security?

(i guess tech-userlevel might be more appropriate for the techincal
discussion, but since it's here, ...)