spoke/setup-spoke.sh

Fix check_permissions to check group bits; fix ssh-keyscan dedup to iterate per key type; fix HUB_USER@HUB_HOST sed regex to handle trailing whitespace
hub/offboard-spoke.sh
Drop root requirement; fix crontab running as root; fix registry .tmp not cleaned on failure
hub/onboard-spoke.sh
Fix registry .tmp not cleaned on failure; chmod 600 key immediately after generation
hub/setup-hub.sh
Check permissions on existing SSH private keys in setup

hub/offboard-spoke.sh

@@ -28,20 +28,12 @@ check_deps() {
     fi
 }
 
-[ "$(id -u)" -eq 0 ] || die "Run as root"
+if [ "$(id -u)" -eq 0 ]; then
+    die "Running as root — run as the hub user instead."
+fi
 
 if ! command -v python3 >/dev/null 2>&1; then
-    if command -v apt-get >/dev/null 2>&1; then
-        apt-get install -y -q python3
-    elif command -v dnf >/dev/null 2>&1; then
-        dnf install -y -q python3
-    elif command -v yum >/dev/null 2>&1; then
-        yum install -y -q python3
-    elif command -v pacman >/dev/null 2>&1; then
-        pacman -S --noconfirm python
-    else
-        die "python3 not found and no supported package manager to install it"
-    fi
+    die "python3 not found — please install it and re-run"
 fi
 
 check_deps rclone crontab python3
@@ -142,7 +134,12 @@ else
 fi
 
 header "Removing from Registry"
-(grep -v "^$SPOKE_NAME " "$REGISTRY" || true) > "${REGISTRY}.tmp" && mv "${REGISTRY}.tmp" "$REGISTRY"
+if grep -v "^${SPOKE_NAME} " "$REGISTRY" > "${REGISTRY}.tmp" 2>/dev/null || true; then
+    mv "${REGISTRY}.tmp" "$REGISTRY"
+else
+    rm -f "${REGISTRY}.tmp"
+    die "Failed to update registry"
+fi
 info "$SPOKE_NAME removed from registry."
 
 header "Offboarding Complete"

hub/onboard-spoke.sh

@@ -94,6 +94,8 @@ else
     ssh-keygen -t ed25519 -f "$KEY_PATH" -N ""
     info "Key generated: $KEY_PATH"
 fi
+chmod 600 "$KEY_PATH"
+info "Permissions set: $KEY_PATH is 600"
 
 header "Copying Hub Key to Spoke"
 info "Running ssh-copy-id to $SPOKE_USER@localhost:$TUNNEL_PORT..."
@@ -148,7 +150,12 @@ MOUNT_POINT="${HOME}/mnt/${SPOKE_NAME}"
 mkdir -p "$MOUNT_POINT"
 if grep -q "^${SPOKE_NAME} " "$REGISTRY" 2>/dev/null; then
     warn "$SPOKE_NAME already in registry, updating."
-    (grep -v "^${SPOKE_NAME} " "$REGISTRY" || true) > "${REGISTRY}.tmp" && mv "${REGISTRY}.tmp" "$REGISTRY"
+    if grep -v "^${SPOKE_NAME} " "$REGISTRY" > "${REGISTRY}.tmp" 2>/dev/null || true; then
+    mv "${REGISTRY}.tmp" "$REGISTRY"
+else
+    rm -f "${REGISTRY}.tmp"
+    die "Failed to update registry"
+fi
 fi
 echo "${SPOKE_NAME} ${TUNNEL_PORT} ${KEY_PATH} ${MOUNT_POINT}" >> "$REGISTRY"
 info "$SPOKE_NAME registered."

hub/setup-hub.sh

@@ -246,6 +246,15 @@ header "Permission Checks"
 info "Checking SSH directory permissions..."
 check_permissions "$SSH_DIR/authorized_keys" "authorized_keys"
 check_permissions "$RCLONE_CONF" "rclone.conf"
+for PRIVKEY in "$SSH_DIR"/*; do
+    [[ "$PRIVKEY" == *.pub ]] && continue
+    [ -f "$PRIVKEY" ] || continue
+    case "$(file -b "$PRIVKEY" 2>/dev/null)" in
+        *"private key"*|*"PRIVATE KEY"*)
+            check_permissions "$PRIVKEY" "SSH private key $(basename "$PRIVKEY")"
+            ;;
+    esac
+done
 
 header "Mount Point Setup"
 read -rp "Mount point for spoke filesystems [/mnt/hub]: " MOUNT_POINT