I may be misunderstanding the question...if so forgive me.
The object of the exercise as far as my limited knowledge of web servers goes is this...
1. having ssh logins for users, in general, is a terrible idea for most web servers. That means, no user should be given ssh login ability unless you are prepared to spend a good deal of time making sure you are both capable and willing to really lock down the web server.
2. If the ssh login is just for a single user, or small group who you have excellent control over, then it's by far one of the most secure forms of communication between yourself and your server!
So the above two scenarios at first glance seem to completely contradict each other, however, that is not exactly a good illustration of the problem. The problem is that one of the most secure forms of communication (ssh) is potentially the most catastrophic to the server should it get hacked! Some of the issues are:
- users being able to see files that dont belong to them
- users potentially running dangerous commands
- ssh can still be brute forced
Whilst all of the above are not beyond fixing, i dont allow any SSH access to my webservers for anyone else but myself. If clients have use of filemanager, or even cms such as wordpress, i dont see any good reason why they need ssh/sftp access (or alternatively, ftp/ftps for that matter).
Now, in terms of root user access from terminal...
the reason we are told to disable "root user" ssh or shell access is
1. just in case the root account gets hacked! Such a scenario would be catastrophic to your web server!
2. so you cant stuff your system so easily when playing around on a live production system!
So the recommended alternative is to create a sudoer user...which has rights similar to root for most things, however, does not have access to high-level directories that can be used to completely destroy the server either intentionally or unintentionally.
sudoer should not be able to edit/write to root owned directories unless group permissions have been assigned that allow such access!
short and curly...create a sudoer administrator user and provide access to ssh for that user. Usually one then disables direct access to ssh by root.
Should you be in command shell via programs such as putty for example, then in order to gain root access, you then elevate your sudo user to temporarily gain root access using a few different methods...
1. sudo
2. sudo -i
3. su
4 sudo -s
I also am able on one of my systems change an existing user to root by typing "su root"
I also do not see any great advantage in using private key files either. Sure it makes brute forcing the server account directly almost impossible, if someone gets access to your keyfiles on your desktop pc (because home computers have such great reputations for getting viruses and trojans etc)....
Finally, i think there is some misconception about the "Control Panel" root user access, and normal shell/command prompt access. Disabling the root user shell access doesnt mean the control panel is going to stop functioning!
this is my understanding of the why and how.