Root Login with Public Key?

[tbutler]

For as long as I can remember, I've disabled direct root login and required logging into a wheel group user first. But I've been thinking about installing an SSH key for root login; from a security standpoint is there any downside to this over what I've been doing? In theory, it seems to me, if I'm only allowing key-based authentication, a direct root login shouldn't be inherently insecure. Am I thinking correctly?

 

[cPRex]

Hey hey! You'll likely get mixed opinions on this. If for some reason the key gets compromised then they'd have direct root access, but what are the odds of that? I'm a fan of changing the SSH port, so any automated tools that are trying to log in can't even see the service running.

 

[quietFinn]

I have changed SSH port, SSH direct root login is disabled, only one user in wheel group so that user can su to root, that user has keys to login, and if that does not work can login with (VERY long) password.
If for ex. cPanel support needs to login I create user for that and add it to wheel group, AND remove it and change (VERY long) root password when work is done.
I use RoboForm password manager so I only need to remember one password.