Any opinions on the following: when I am using an OpenSSH CA and issue role-based principals. Should I allow root-login or create sth. like a sysadmin-user and give each admin access to that user with pw-less sudo instead of root? So far no extra protected jump hosts involved.