I am pretty sure this can be done using PAM (ie pam_access.so and /etc/security/access.conf) but this was under a unix that doesn't support PAM (but has its own framework.)
I wanted to deny some users outright, permit the rest access from the local network and some users (specified in a unix group) unrestricted access. eg
# @(#) /etc/ssh/sshd_config # ... # >> This does *not* work << -- See sshd_config(5) DenyUsers root postfix AllowUsers *@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16 AllowGroups ssh_access
Looking at the code in auth.c it turns out that modifying this without doing too much violence to the original is fairly straight forward.
# @(#) /etc/ssh/sshd_config # Turn on alternate policy otherwise business as usual. AlternateAllowPolicy yes # What do we do if we don't allow or deny a user explicitly? AllowByDefault no DenyUsers root postfix AllowUsers *@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16 AllowGroups ssh_access
The patch in files/ is against openssh 5.9p1 but the code in the affected files (auth.c, servconf.c, servconf.h) has remained substantially unchanged from 5.8p1.
Unpack the openssh-5.9p1 tarball, apply the patch, configure with
usual switches appending:
./configure --prefix=/opt/openssh-5.9 --sysconfdir=/etc/openssh-5.9\ --with-cppflags="-DALTERNATE_AUTH_POLICY=1"