diff --git a/hub/onboard-spoke.sh b/hub/onboard-spoke.sh
index eadc10a..1617c42 100755
--- a/hub/onboard-spoke.sh
+++ b/hub/onboard-spoke.sh
@@ -98,7 +98,16 @@ fi
 header "Copying Hub Key to Spoke"
 info "Running ssh-copy-id to $SPOKE_USER@localhost:$TUNNEL_PORT..."
 info "(You will be prompted for the $SPOKE_USER password on the spoke)"
-ssh-copy-id -i "$KEY_PATH.pub" -p "$TUNNEL_PORT" "$SPOKE_USER"@localhost
+if ! ssh-copy-id -i "$KEY_PATH.pub" -p "$TUNNEL_PORT" "$SPOKE_USER"@localhost; then
+    warn "ssh-copy-id failed — password auth may be disabled on the spoke."
+    warn "Manually append the hub public key to the spoke's authorized_keys:"
+    echo ""
+    echo "  cat $KEY_PATH.pub"
+    echo "  # Then on the spoke, append the output to:"
+    echo "  # /home/$SPOKE_USER/.ssh/authorized_keys"
+    echo ""
+    read -rp "Press ENTER once the key has been added to the spoke..."
+fi
 info "Key copied."
 
 header "Testing Hub -> Spoke Key Auth"
diff --git a/spoke/setup-spoke.sh b/spoke/setup-spoke.sh
index e624919..b21c845 100755
--- a/spoke/setup-spoke.sh
+++ b/spoke/setup-spoke.sh
@@ -274,7 +274,13 @@ info "Scanning hub host key..."
 sudo -u "$SPOKE_USER" touch "$SSH_DIR/known_hosts"
 chown "$SPOKE_USER":"$SPOKE_USER" "$SSH_DIR/known_hosts"
 chmod 600 "$SSH_DIR/known_hosts"
-sudo -u "$SPOKE_USER" ssh-keyscan -H "$HUB_HOST" >> "$SSH_DIR/known_hosts" 2>/dev/null
+HUB_KEYSCAN=$(ssh-keyscan -H "$HUB_HOST" 2>/dev/null)
+if [ -n "$HUB_KEYSCAN" ]; then
+    HUB_KEYSCAN_KEY=$(echo "$HUB_KEYSCAN" | awk '{print $3}')
+    if ! grep -qF "$HUB_KEYSCAN_KEY" "$SSH_DIR/known_hosts" 2>/dev/null; then
+        echo "$HUB_KEYSCAN" >> "$SSH_DIR/known_hosts"
+    fi
+fi
 check_permissions "$SSH_DIR/known_hosts" "known_hosts"
 
 header "Testing SSH Connection"