>I don't know what "real world" you live in, but in my "real world"
>nobody ever logs in directly as root except on the physical consoles on
>any machines I manage, and they only login on the console when a system
>needs shutting down or some such thing.

I've setup quite a number of machines where all accounts have uid=0
This allows each admin to have different password (for console access).
Network login was only allowed by SSL telnet using X.509 certs, but
SSH would probably have sufficed. I guess you'd call them multi-admin
boxes :-)

The beauty of that setup is that all set-*id bits can be removed 
(or in the case of say sendmail changed to something less privaleged
sendmail only used for forwarding mail not accepting smtp btw).
Actually most of *nix was removed but that's another issue.

All processes on the box, are either privaleged because they are being run
by an admin who should know, or un-privaleged with no means of escape.
Audit trails (for what they are worth) are not compromised, since the logs
will show that sjg logged in, and sjg reconfigured blah.

Personally I like the idea of allowing "root" logins - though not via 
passwords.   I also like the notion of "this guy is able to authenticate as 
root, so let him authenticate as anyone" - again I'm only talking about 
RSA authentication - I disable all the others usually.  This allows one to
scp file uucp@host:/dest to be able to remotely propagate files without having
to replicate .ssh/authorized_key* to every directory.
This was one reason we use SSLr* for the above rather than ssh, since you 
could allow an X.509 cert root privs and it could be used to authenticate 
as anyone.  No real loss of audit trail either.  

>The point in this thread is/was to ensure that the *default*
>configuration of NetBSD is such that it's more difficult for for any
>attacker to gain un-auditable access even if the root password is
>accidentally revealed in some way.

So making the default to deniy root authenitcation via password
would meet that criteria (though with ~/.ssh on NFS etc password is the 
only really safe option that ssh allows :-)  that's the other reason
I don't like SSH.  That doesn't stop me using it though :-)

--sjg