diff --git a/hub/offboard-spoke.sh b/hub/offboard-spoke.sh
index 1eb3bdd..59d7405 100755
--- a/hub/offboard-spoke.sh
+++ b/hub/offboard-spoke.sh
@@ -28,20 +28,12 @@ check_deps() {
     fi
 }
 
-[ "$(id -u)" -eq 0 ] || die "Run as root"
+if [ "$(id -u)" -eq 0 ]; then
+    die "Running as root — run as the hub user instead."
+fi
 
 if ! command -v python3 >/dev/null 2>&1; then
-    if command -v apt-get >/dev/null 2>&1; then
-        apt-get install -y -q python3
-    elif command -v dnf >/dev/null 2>&1; then
-        dnf install -y -q python3
-    elif command -v yum >/dev/null 2>&1; then
-        yum install -y -q python3
-    elif command -v pacman >/dev/null 2>&1; then
-        pacman -S --noconfirm python
-    else
-        die "python3 not found and no supported package manager to install it"
-    fi
+    die "python3 not found — please install it and re-run"
 fi
 
 check_deps rclone crontab python3
@@ -142,7 +134,12 @@ else
 fi
 
 header "Removing from Registry"
-(grep -v "^$SPOKE_NAME " "$REGISTRY" || true) > "${REGISTRY}.tmp" && mv "${REGISTRY}.tmp" "$REGISTRY"
+if grep -v "^${SPOKE_NAME} " "$REGISTRY" > "${REGISTRY}.tmp" 2>/dev/null || true; then
+    mv "${REGISTRY}.tmp" "$REGISTRY"
+else
+    rm -f "${REGISTRY}.tmp"
+    die "Failed to update registry"
+fi
 info "$SPOKE_NAME removed from registry."
 
 header "Offboarding Complete"
diff --git a/hub/onboard-spoke.sh b/hub/onboard-spoke.sh
index 8349fd2..73b57f8 100755
--- a/hub/onboard-spoke.sh
+++ b/hub/onboard-spoke.sh
@@ -94,6 +94,8 @@ else
     ssh-keygen -t ed25519 -f "$KEY_PATH" -N ""
     info "Key generated: $KEY_PATH"
 fi
+chmod 600 "$KEY_PATH"
+info "Permissions set: $KEY_PATH is 600"
 
 header "Copying Hub Key to Spoke"
 info "Running ssh-copy-id to $SPOKE_USER@localhost:$TUNNEL_PORT..."
@@ -148,7 +150,12 @@ MOUNT_POINT="${HOME}/mnt/${SPOKE_NAME}"
 mkdir -p "$MOUNT_POINT"
 if grep -q "^${SPOKE_NAME} " "$REGISTRY" 2>/dev/null; then
     warn "$SPOKE_NAME already in registry, updating."
-    (grep -v "^${SPOKE_NAME} " "$REGISTRY" || true) > "${REGISTRY}.tmp" && mv "${REGISTRY}.tmp" "$REGISTRY"
+    if grep -v "^${SPOKE_NAME} " "$REGISTRY" > "${REGISTRY}.tmp" 2>/dev/null || true; then
+    mv "${REGISTRY}.tmp" "$REGISTRY"
+else
+    rm -f "${REGISTRY}.tmp"
+    die "Failed to update registry"
+fi
 fi
 echo "${SPOKE_NAME} ${TUNNEL_PORT} ${KEY_PATH} ${MOUNT_POINT}" >> "$REGISTRY"
 info "$SPOKE_NAME registered."
diff --git a/hub/setup-hub.sh b/hub/setup-hub.sh
index e336081..7930c50 100755
--- a/hub/setup-hub.sh
+++ b/hub/setup-hub.sh
@@ -246,6 +246,15 @@ header "Permission Checks"
 info "Checking SSH directory permissions..."
 check_permissions "$SSH_DIR/authorized_keys" "authorized_keys"
 check_permissions "$RCLONE_CONF" "rclone.conf"
+for PRIVKEY in "$SSH_DIR"/*; do
+    [[ "$PRIVKEY" == *.pub ]] && continue
+    [ -f "$PRIVKEY" ] || continue
+    case "$(file -b "$PRIVKEY" 2>/dev/null)" in
+        *"private key"*|*"PRIVATE KEY"*)
+            check_permissions "$PRIVKEY" "SSH private key $(basename "$PRIVKEY")"
+            ;;
+    esac
+done
 
 header "Mount Point Setup"
 read -rp "Mount point for spoke filesystems [/mnt/hub]: " MOUNT_POINT
diff --git a/spoke/setup-spoke.sh b/spoke/setup-spoke.sh
index 7d99307..488fe68 100755
--- a/spoke/setup-spoke.sh
+++ b/spoke/setup-spoke.sh
@@ -68,7 +68,7 @@ check_permissions() {
     fi
     local world="${perms: -1}"
     local group="${perms: -2:1}"
-    if [ "$world" != "0" ]; then
+    if [ "$world" != "0" ] || [ "$group" != "0" ]; then
         warn "UNSAFE PERMISSIONS on $label ($file): $perms — should be 600 or 400"
         warn "Fixing permissions automatically..."
         chmod 600 "$file"
@@ -280,10 +280,12 @@ chown "$SPOKE_USER":"$SPOKE_USER" "$SSH_DIR/known_hosts"
 chmod 600 "$SSH_DIR/known_hosts"
 HUB_KEYSCAN=$(ssh-keyscan -H "$HUB_HOST" 2>/dev/null)
 if [ -n "$HUB_KEYSCAN" ]; then
-    HUB_KEYSCAN_KEY=$(echo "$HUB_KEYSCAN" | awk '{print $3}')
-    if ! grep -qF "$HUB_KEYSCAN_KEY" "$SSH_DIR/known_hosts" 2>/dev/null; then
-        echo "$HUB_KEYSCAN" >> "$SSH_DIR/known_hosts"
-    fi
+    while IFS= read -r KEYSCAN_LINE; do
+        KEYSCAN_KEY=$(echo "$KEYSCAN_LINE" | awk '{print $3}')
+        if ! grep -qF "$KEYSCAN_KEY" "$SSH_DIR/known_hosts" 2>/dev/null; then
+            echo "$KEYSCAN_LINE" >> "$SSH_DIR/known_hosts"
+        fi
+    done <<< "$HUB_KEYSCAN"
 fi
 check_permissions "$SSH_DIR/known_hosts" "known_hosts"
 
@@ -323,7 +325,7 @@ sed -i "s|-R [0-9]*:localhost:22|-R ${TUNNEL_PORT}:localhost:22|g" "$COMPOSE"
 sed -i "s|-i /home/[^ ]*/\.ssh/[^ ]*|-i ${SSH_DIR}/${KEY_NAME}|g" "$COMPOSE"
 sed -i "/known_hosts/!s|/home/[^/]*/\.ssh/[^:]*:/home/[^/]*/\.ssh/[^:]*:ro|${SSH_DIR}/${KEY_NAME}:${SSH_DIR}/${KEY_NAME}:ro|g" "$COMPOSE"
 sed -i "s|/home/[^/]*/\.ssh/known_hosts|${SSH_DIR}/known_hosts|g" "$COMPOSE"
-sed -i "s| [a-zA-Z0-9._-]*@[a-zA-Z0-9._-]*\.[a-zA-Z0-9._-]*$| ${HUB_USER}@${HUB_HOST}|g" "$COMPOSE"
+sed -i "s| [a-zA-Z0-9._-]*@[a-zA-Z0-9._-]*\.[a-zA-Z0-9._-]*[[:space:]]*$| ${HUB_USER}@${HUB_HOST}|g" "$COMPOSE"
 sed -i "s|/home/[^/]*/st:|${SYNCTHING_MOUNT}:|g" "$COMPOSE"
 sed -i "s|PUID=[0-9]*|PUID=${SPOKE_UID}|g" "$COMPOSE"
 sed -i "s|PGID=[0-9]*|PGID=${SPOKE_GID}|g" "$COMPOSE"