The goal is to allow root to login with username/password from local IP-addresses. But only allow root to login with public key authentication from internet.
First change the following settings in /etc/ssh/sshd_config. this will allow normal users to login with username/password but root users must use public key authentication.
PasswordAuthentication yes PermitRootLogin without-password
Second, add the following to the end of /etc/ssh/sshd_config. Its important that you are in the end of the file because how sshd_config is read by the daemon.
Match address 192.168.0.0/16 PermitRootLogin yes