Secure SSH without disabling ssh

I ran into a delima with wanting to secure sss. My requirements were simple:

1 - Allow ssh over port 22 for regular users
2 - Deny root for port 22
3 - Allow root on a non-standard port
4 - Managable via init scripts

The answer was to spawn a 2nd sshd on a 2nd port and deny root access on sshd port 22. But having it manged via init.d was tricky. But here's how I did it on my RHEL4 box (applical to nearly any RHEL or Fedora release).

1 - Copy /etc/ssh/sshd_config -> /etc/ssh/sshd_config.root
2 - Lock down the current sshd. Uncomment the following line:

PermitRootLogin no

3 - Specify a port in /etc/ssh/sshd_config.root other than port 22 and make sure you have PermitRootLogin set to yes or commented out.
4 - Make the following changes to /etc/rc.d/init/sshd

--- sshd.orig 2006-05-27 23:15:11.000000000 -0400
+++ sshd 2006-05-27 23:15:43.000000000 -0400
@@ -24,6 +24,7 @@
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
+OPTIONS="-f /etc/ssh/sshd_config.root"
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
@@ -104,6 +105,7 @@
do_dsa_keygen

echo -n $"Starting $prog:"
+ initlog -c "$SSHD" && success || failure
initlog -c "$SSHD $OPTIONS" && success || failure
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd

And your done. It's a bit of a hack, but it works. Restarting the sshd service will bring down both deamons and start both daemons. You can even combine this with port knocking tricks or for the really paranoid, my recent tip about dictionary attack blocking.