I would use
authpf(8), it was designed for just this purpose, and you should see if it meets your needs. In brief, a user authenticates with an ssh session, as long as that session is active, a set of rules associated with that user are anchored into your PF ruleset. When that session ends, so do those rules.
There was an interesting discussion in the misc@ mailing list about authpf this week regarding its limitations -- how someone on a NATted network who authenticates would authorize their entire NATted network; and some other possible "tailgating" attacks. I recommend a review of the thread, which began here:
http://marc.info/?l=openbsd-misc&m=131556113701941&w=2
While
hosts.deny(5) is an available service, I don't use it, as PF does all I need without the caveats, booby traps, and other problems inherent in the hosts access control language. PF also has the ability to automatically add attackers to block lists, which I prefer.