From version 4.3p2, sshd supports an interesting option called Match. At the time of writing, this is the version supplied with Debian Etch (stable).
This patch extends sshd_config to support syntax such as:
AllowTcpForwarding no Match Address 192.168.32.*,127.0.0.1 AllowTcpForwarding yes GatewayPorts no Match User bar,baz AllowTcpForwarding yes Match Host t* AllowTcpForwarding yes
Unfortunately, only a subset of keywords may be used on the lines following a Match keyword. Available keywords are:
AllowTcpForwarding Banner ChrootDirectory ForceCommand GatewayPorts GSSAPIAuthentication HostbasedAuthentication KbdInteractiveAuthentication KerberosAuthentication MaxAuthTries MaxSessions PasswordAuthentication PermitOpen PermitRootLogin RhostsRSAAuthentication RSAAuthentication X11DisplayOffset X11Forwarding X11UseLocalHost
Still, I found this extremely useful in, for instance, permitting root login only from the local network and to allow me to login with a password only from IP’s i really trust. At other places I force myself to use a public key with a painfully long passphrase. Sadistic security rules.