I would like to get the word on how to best set up my sshd server to allow
root on a single client hostbased authorization to several servers - as
securely as possible.
I have a requirement to have unattended root access to these systems.
I need to have hostbased work for root only. No non-root users should be
able to use hostbased, but kerberos instead.
I would be using openssh 4.3p2.

Is there anything wrong or poorly configured with what I have below?

As I see it, I would configure the server with the 3 config files ....

/etc/ssh/sshd_config:

# Essential for Hostbased for root -
PermitRootLogin without-password
HostbasedAuthentication yes
IgnoreUserKnownHosts yes
IgnoreRhosts no

# For Kerberos - non-root
KerberosAuthentication yes
GSSAPIAuthentication yes

# Optionally
StrictModes yes
RSAAuthentication no
PubkeyAuthentication no
# I would augment access control with pam_access.
UsePAM yes

--------
/root/.shosts:


--------
/etc/ssh/ssh_known_hosts: