You can manage which users have access to Remove Login (SSH) by selecting this service in the Sharing system preferences, and then clicking the "Only these users" radio button and populating the list with the usernames (or groups) that you would like to allow SSH access.
Unfortunately there is no way to prevent a user from logging in. Apple includes "Sharing Only" account options that are meant for this purpose, but I believe SSH sessions require an account that has a home folder environment (I'm not sure about this, but I believe it is the case).
You can try creating a sharing only account and then adding it to your sshonly group, and then only enable this group in the Remote Login service to see if you can grant it SSH access this way, but if not then I believe there is only a partial answer to your request, which only allowing some users SSH access, though all users will have local login access.