I just tested again and can login to toor over ssh even without it having no shell configured in passwd. It uses csh. So it seems a misunderstanding here, it blocks su but not direct ssh login. So regardless of this, someone can setup an alternative shell for root and then enable the toor account for su. Still not a disaster to change root's shell.
Jan 21 09:38:36 vm1 sshd: Accepted publickey for toor from 192.168.1.124 port 54316 ssh2
# id uid=0(root) gid=0(wheel) groups=0(wheel)
# grep toor /etc/passwd toor:*:0:0:Bourne-again Superuser:/root: