network – How to allow tunneling / ssh transfer via a machine without giving access to the intermediate machine

Let's say I have a machine with a few virtual machines on it, how could I transfer SSH connections to these virtual machines without giving access to the host machine? Is it possible to do it with only one port exposed to the outside world? This would also apply to a machine, with some other machines behind it.

I would like to do the redirection depending on the keys used, or maybe according to an indicator defined in the ssh command on the client.