> I haven't quite figured this bit out yet.  Do you mean running the ssh
> server in a chroot environment

given your level of concern and your apparently convoluted
requirements, I recommend doing this.

> or is there a way of specifying options to sshd?

see sshd(8)

	sshd -f <config-file>

will start with a new config file.

Among many other things, you can specify an alternate listening port
in the sshd config file.

> Surely this would still require the private half of a key pair stored on
> C?

not necessarily.  

> What I'm really looking for is a way to have the return connection "given
> the nod" by A, by virtue of the fact that it is started by a ssh session
> from A?

You could do ssh agent forwarding from "A" to "C" with a key which
grants access to the subsystem in question..