Indeed this would work. But then i would need an adminVM for every ssh-client/vault pair i have. As the number of servers may change, for every change i need to modify stuff in dom0 which i would like to avoid.
My other idea is to create a tag for each pair i am likely to use, like
# Pair 1
… @tag:ssh-pair-1 @tag:ssh-pair-1 allow target=wahtever
…@tag:ssh-pair-1@anyvm deny
# Pair
… @tag:ssh-pair-2 @tag:ssh-pair-2 allow target=wahtever
…@tag:ssh-pair-2@anyvm deny
And create like 100 or so of those rules. The adminVM would need to keep track of all running pairs and assign the tags so no collisions can exist.
I think this is the most secure hotfix, but in my opinion this is a bit ugly.