Given: my local network is 10.1.1.0/24, my username is jabenninghoff, my ssh host is ssh.example.com, my host's address is 10.1.1.17, my ssh port is 22, and I'm connecting from either 10.1.1.33 (locally) or 172.16.1.20 (remotely)
When: connecting from the local network
Then: allow default ssh authentication methods
When: connecting from other networks
Then: require key-based authentication
Configure using a Match rule:
Match Address *,!10.1.1.*
AuthenticationMethods publickey
The Match rule states "match all addresses except 10.1.1.*". As noted in the OpenSSH Cookbook, "Note that for negation a wildcard must be specified first and then the address or range to be excluded following it."
Test sshd config, local connections, remote connections:
sshd -T
sshd -TC user=jabenninghoff,host=ssh.example.com,laddr=10.1.1.17,lport=22,addr=10.1.1.33
sshd -TC user=jabenninghoff,host=ssh.example.com,laddr=10.1.1.17,lport=22,addr=172.16.1.20
The result of the second test should include:
authenticationmethods
The result of the third test should include:
authenticationmethods publickey
Thanks to the FreeBSD Forums for the solution!