In this post you state
For an embedded device I am working on we have a dedicated configuration Ethernet port. It is a Linux disto and we are not particularly resource constrained.
Look at some things in above.
Linus can/does use internal servers and some are web based.
Here the host address is "LocalHost" which has an IP starting with 127 for IPV4 and good security has a firewall that prevents access to all but programs running on device.
Note that in my view counting on local network addresses for security is very bad idea. This is counting on the security of all devices connected to network being secure. Just one bad device and all security is gone.
Unless you want to get known for building old stuff you also need to use modern and secure as foundation.
This implies that IPv4 & IPv6 should be supported at this time.
To get good control security you need to add a base of physical access to device. For example,
A button that has to be pressed on device to start low level security build.
A key printed on device to just allow network device with that key to connect at this reduced security.
That is a simple two factor authentication and should only be used to create a more secure connection.
To talk to a device on Ethernet you just need two things unless security prevents it, The IP address & Port.
You can add DNS to make it easer and if done correctly you can add DNS security in the process.
Now with linux as a foundation you can do better then bare CLI access via SSH.
SSH allows use of certificates in place of passwords. The SSH server can add security basted on connecting IP address.
The SSH client has some security you can use to get started.
One problem with CLI is users getting the config wrong.
CLI config can also be a huge pain.
This is where something like "Ansible" can be a big help.
Ansible lets a client program use SSH to work with the SSH host with little to no added software needed on host.
If there is network connectivity then one to thousands of devices can be configured. Ansible will let you verify that host is configured properly matching the facts that Ansible program is using. Notice "HOST" & network connective here.
If you can connect to a new linux host with SSH, Ansible could setup the whole system with little user effort.
You can use Ansible to check and/or configure the local host also.
Think of the fine details here. With the Ansible program you can quickly make a clone of a device or build a replacement for a failed device.
As Ansible will run on window, Mac & Linux computers, Complicated things just got very easy, checkable & upgradeable.
This is all possible with the open source version of Ansible which is a subset of Ansible Tower.
If you use Ansible properly it can save a lot of time.
You could use it to build, update, config & test device before shipment.
And use it at client site to make it easy & more secure.
You can use powerful tools and still keep is simple.
You can give you end user very powerful tools and still keep it simple.
Still a very good idea to have someone better at security looking over your shoulder.
With Ansible written in Python, your users that want to check can look at what ansible program will do if they want.
It also shows how easy a system can be hacked with little knowledge
Security is only good as it's weakest link.