Make OpenSSH require keys selectively
This is one of those things that I've been doing for ages and is easy to find if you read the fine manual, but not many places online seem to suggest it.
Any decent guide on configuring SSH will tell you to turn off password authentication but the pain with this is you need keys setup everywhere.
Fortunately OpenSSH lets you set configuration based on the connecting IP address; add something like this to /etc/ssh/sshd_config:
PasswordAuthentication no
Match Address 192.168.*
PasswordAuthentication yes
et voilà, internal addresses can still use passwords. However evil connections from the internet need a key (you can also do it per user or group if you like, but obviously this has the potential to enable user enumeration attacks).