I have a custom policy:
The only way to ssh into a machine is to contact another user already logged on (first user logs on at the console), get them to open a ssh port temporarily.
Expressed differently, each logged in user is allowed to execute one and only one exact command:
firewall-cmd --add-rich-rule ‘rule family=“ipv4” service name=“ssh” source address=“x.x.x.x” accept’ --timeout=5m
This works fine when the users are all sudoers, but in trying to allow mortal users to do this, I seem to get polkit problems. I want mortal users to be able to run only this very specific command – no other uses of firewall-cmd are acceptable.
Can someone give me some direction about how to accomplish this?