move password auth prompt to after SSH key setup in setup-spoke.sh

2026-04-16 10:44:12 -07:00
parent 7e64156026
commit a79b1c59b8
1 changed files with 35 additions and 35 deletions
--- a/spoke/setup-spoke.sh
+++ b/spoke/setup-spoke.sh
@@ -125,41 +125,6 @@ fi

 SSHD_CONF="/etc/ssh/sshd_config"

-header "Password Authentication"
-read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS
-DISABLE_PASS="${DISABLE_PASS:-y}"
-if [[ "${DISABLE_PASS,,}" == "y" ]]; then
-    if [ ! -s "$SSH_DIR/authorized_keys" ]; then
-        warn "No keys found in $SSH_DIR/authorized_keys — skipping password auth disable to avoid lockout."
-    else
-        if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then
-            sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF"
-        else
-            echo "PasswordAuthentication no" >> "$SSHD_CONF"
-        fi
-        if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then
-            sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF"
-        else
-            echo "PubkeyAuthentication yes" >> "$SSHD_CONF"
-        fi
-        info "Password authentication disabled for $SPOKE_USER."
-        echo ""
-        warn "Restarting SSH will apply the new settings."
-        warn "If you are connected via SSH, your session may drop."
-        warn "Make sure you can reconnect using your key before continuing."
-        read -rp "Press ENTER to restart SSH or CTRL+C to abort..."
-        if systemctl restart ssh 2>/dev/null; then
-            info "SSH restarted."
-        elif systemctl restart sshd 2>/dev/null; then
-            info "SSH restarted."
-        else
-            warn "Could not restart SSH — please restart it manually."
-        fi
-    fi
-else
-    info "Password authentication left enabled."
-fi
-
 header "Hostname Setup"
 CURRENT_HOSTNAME=$(hostname)
 echo -e "Current hostname: ${YELLOW}$CURRENT_HOSTNAME${NC}"
@@ -224,6 +189,41 @@ case "$KEY_CHOICE" in
    ;;
 esac

+header "Password Authentication"
+read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS
+DISABLE_PASS="${DISABLE_PASS:-y}"
+if [[ "${DISABLE_PASS,,}" == "y" ]]; then
+    if [ ! -f "$KEY_PATH" ]; then
+        warn "No key found at $KEY_PATH — skipping password auth disable to avoid lockout."
+    else
+        if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then
+            sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF"
+        else
+            echo "PasswordAuthentication no" >> "$SSHD_CONF"
+        fi
+        if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then
+            sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF"
+        else
+            echo "PubkeyAuthentication yes" >> "$SSHD_CONF"
+        fi
+        info "Password authentication disabled for $SPOKE_USER."
+        echo ""
+        warn "Restarting SSH will apply the new settings."
+        warn "If you are connected via SSH, your session may drop."
+        warn "Make sure you can reconnect using your key before continuing."
+        read -rp "Press ENTER to restart SSH or CTRL+C to abort..."
+        if systemctl restart ssh 2>/dev/null; then
+            info "SSH restarted."
+        elif systemctl restart sshd 2>/dev/null; then
+            info "SSH restarted."
+        else
+            warn "Could not restart SSH — please restart it manually."
+        fi
+    fi
+else
+    info "Password authentication left enabled."
+fi
+
 info "Scanning hub host key..."
 sudo -u "$SPOKE_USER" touch "$SSH_DIR/known_hosts"
 chown "$SPOKE_USER":"$SPOKE_USER" "$SSH_DIR/known_hosts"