Not an expert but did you look at the certificate based authentication? You can define your own certificate authority and allow only the certificates signed (it's a public key) by your ca can to connect to your ssh server.
1 - Generate a key pair for the ca ( and another for he remote user)
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/ca -m PEM
2- Sign the public key of the user
ssh-keygen -s ca \
-I <user-name> \
-V 20191220:20201220 \
user_key.pub
<user-name> will be logged on your server everytime a connection is opened with user_key.pub. -v stands for key validity.
3 - Allow on your LAN (ssh server)
TrustedUserCAKeys /secure/permission/ca.pub
This means, any certificate signed with this ca will be granted access to your server. Of course you can restrict what the users whose login is allowed (particularly prevent root login 😂).
Note: using the certificate based authentication, you can even choose what kind of features are allowed to be used with a particular certificate. a k.a AllowX11Forward and many more. Maybe a good reading of ssh doc may provide you an better approach for your use case. ssh(1)
Hope this will help.