>Ideally, this restriction should be based on the public key of the pair but I've not seen in sshd_config(5) a way for the Match directive to use the public key as its trigger
Not an expert but did you look at the certificate based authentication? You can define your own certificate authority and allow only the certificates signed (it's a public key) by your ca can to connect to your ssh server. 1 - Generate a key pair for the ca ( and another for he remote user) $ ssh-keygen -t rsa -b 4096 -f ~/.ssh/ca -m PEM 2- Sign the public key of the user ssh-keygen -s ca \ -I <user-name> \ -V 20191220:20201220 \ user_key.pub <user-name> will be logged on your server everytime a connection is opened with user_key.pub. -v stands for key validity. 3 - Allow on your LAN (ssh server) TrustedUserCAKeys /secure/permission/ca.pub This means, any certificate signed with this ca will be granted access to your server. Of course you can restrict what the users whose login is allowed (particularly prevent root login 😂). Note: using the certificate based authentication, you can even choose what kind of features are allowed to be used with a particular certificate. a k.a AllowX11Forward and many more. Maybe a good reading of ssh doc may provide you an better approach for your use case. ssh(1) Hope this will help.