1. Start with root to bind the port below 1024.

2. give up root because you don't need it any further.

3. Only accept non-root logins

4. when a user creates a session, if they need root within the session they can obtain it via sudo or su.

The remote daemon has its own account and is given a privilege that allows it to connect a network socket to a pseudo terminal.