You can't do that without logging in to the host. I'll try to explain:
The ssh protocol is an end-to-end protocol, only the connections between two authenticated and authorized hosts are encrypted. You can use ssh tunnels between those two hosts once you're in. These tunnels encrypt the traffic between those hosts bot not the traffic outside of these connections!
And (at least with OpenSSH) you can't restrict which ports are allowed to be forwarded - you only can turn it on or off.
What you could do would be to use stunnel instead of ssh. (
www.stunnel.org)
Use it to encrypt the pserver protocoll and block the direct access to the pserver port using iptables. The drawback of this is that the developers need iptables at their machines too - but that's not a big problem
.