Require Google Authenticator for SSH, except for whitelisted source IPs


Has anyone worked out a way of enabling Google Authenticator (security/pam_google_authenticator) on a FreeBSD host to require one-time passwords for ssh(1) connections, except for those from a whitelisted IP address range?

I need to add this extra layer of protection to my hosted server as I have had to re-enable challenge-response authentication to enable connecting through www/shellinabox, which precludes use of public-key authentication.

Searching the web for this topic returned this servervault post, but the replies there seem to be applicable to a different pam(3) implementation, probably on a Linux system. They use configuration syntax that FreeBSD's pam doesn't support, and a pam_access module that it doesn't have, that can base policy on IP addresses.

At first glance, FreeBSD's pam doesn't include any similar module, so what I want doesn't seem to be possible.

I could run a second sshd(8) instance, with pam_google_authenticator enabled for all connections to the primary one, and disable PAM and allow public-key authentication only on the second one, but this is a bit kludgey.

Any suggestions welcome.

sorry for necroposting, thought it is ok since I am posting a solution, which is the match keyword in the sshd config:
Match Address
        AuthenticationMethods publickey