I wasn't happy with the idea that an intruder from the Internet could
get root in this system by password-guessing.

Well, one-step password guessing is excluded by the "without-password"
policy for PermitRootLogin. But two-step password-guessing was still
possible via a user from the group wheel. To strengthen the security
by excluding this possibility, I made the configuration below.

The effect of that directive is not exactly the same as of 
"PermitRootLogin without-password": under the "without-password"
policy, the password is still requested on login attempts, but the
login simply never succeeds with a password. Under the 
"PasswordAuthentication no" setup, the password method is not 
suggested on a login attempt at all for the group wheel.

One side-effect of this configuration is that the password is not
requested for root as well anymore (if root is in group wheel). So,
this configuration would unfortunately disclose some bits of 
information about the real configuration of sshd.

If this configuration is made the default, there is a drawback for
users of "personal" computers which will never be exposed to Internet:
in their local relatively safe nets, the users from the group wheel will 
probably be irritated by the impossibility to log in with a password. 
But this thing can be configurable through the configuration tool (alterator?)
used to turn sshd on (by default, sshd is turned off in, say, ALT Lite 4.0.3).

imz at altlinux.org.

--- sshd_config.factory	2008-09-22 22:14:18 +0400
+++ sshd_config	2008-09-22 22:23:36 +0400
@@ -35,6 +35,7 @@
 
 #LoginGraceTime 2m
 #PermitRootLogin without-password
+# -- this policy is extended to group wheel (see a Match below).
 #StrictModes yes
 #MaxAuthTries 6
 
@@ -115,3 +116,7 @@
 #	X11Forwarding yes
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
+
+# An extension of the policy "PermitRootLogin without-password":
+Match Group wheel
+    PasswordAuthentication no