diff --git a/spoke/setup-spoke.sh b/spoke/setup-spoke.sh
index cc92e6b..846c7d3 100755
--- a/spoke/setup-spoke.sh
+++ b/spoke/setup-spoke.sh
@@ -237,8 +237,11 @@ case "$KEY_CHOICE" in
 esac
 
 header "Password Authentication"
-read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS
-DISABLE_PASS="${DISABLE_PASS:-y}"
+warn "Do not disable password auth yet — the hub still needs password access to install its key via ssh-copy-id."
+warn "Only disable this after running onboard-spoke.sh on the hub."
+echo ""
+read -rp "Disable password auth for $SPOKE_USER and use keys only? [y/N]: " DISABLE_PASS
+DISABLE_PASS="${DISABLE_PASS:-n}"
 if [[ "${DISABLE_PASS,,}" == "y" ]]; then
     if [ ! -f "$KEY_PATH" ]; then
         warn "No key found at $KEY_PATH — skipping password auth disable to avoid lockout."