0

We are using a dedicated NIC as a port forward target to allow support access to port 22 on a CentOS 6 machine. I would like to prevent the NIC from being enabled without a password. I know I could edit /etc/sysconfig/ifup to do this with a plain text password, but than anyone who could cat the file could see it. Does anyone know a more secure way to accomplish this?

Edit: There are sudo users with privileges to write network config files and read scripts. They need to manage other interfaces. The can read but not modify scripts like ifup but they can edit ifcfg-eth0.

Improve this question

1 Answer 1

Reset to default
1

If you have users that have root access to the machine, they can do anything they want. Any measures you put in place to prevent enabling of the NIC could be trivially worked around.

So your options are:

  1. Don't give root access to users on this system. Instead, broker what privileged commands they can use with sudo.
  2. Sort out another way to disable/enable this port. Perhaps you can turn on and off the switch port it's connected to.
Improve this answer
3
  • Thanks. See my edit. Getting the port forward turned on and off at the firewall requires too much internal admin for a support connection that is needed immediately when it is needed.
    – jerryrig
    Commented Jul 1, 2016 at 21:26
  • Well then figure it out with sudo. You may need to write a wrapper script that exerts tight control over precisely which files and lines of files they can edit. There's no magic here, you're just going to need to buckle down and sort it out.
    – EEAA
    Commented Jul 1, 2016 at 21:54
  • Oh well. I thought I would ask first if anyone had magic. I'll figure something out.
    – jerryrig
    Commented Jul 4, 2016 at 17:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .