From f3c9cf23441e1a4d71fbe5943d28aa07173c336d Mon Sep 17 00:00:00 2001 From: Justin Oros Date: Sun, 19 Apr 2026 13:14:52 -0700 Subject: [PATCH] setup-spoke.sh: change password auth disable default to N and add warning to wait until after onboard-spoke.sh --- spoke/setup-spoke.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/spoke/setup-spoke.sh b/spoke/setup-spoke.sh index cc92e6b..846c7d3 100755 --- a/spoke/setup-spoke.sh +++ b/spoke/setup-spoke.sh @@ -237,8 +237,11 @@ case "$KEY_CHOICE" in esac header "Password Authentication" -read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS -DISABLE_PASS="${DISABLE_PASS:-y}" +warn "Do not disable password auth yet — the hub still needs password access to install its key via ssh-copy-id." +warn "Only disable this after running onboard-spoke.sh on the hub." +echo "" +read -rp "Disable password auth for $SPOKE_USER and use keys only? [y/N]: " DISABLE_PASS +DISABLE_PASS="${DISABLE_PASS:-n}" if [[ "${DISABLE_PASS,,}" == "y" ]]; then if [ ! -f "$KEY_PATH" ]; then warn "No key found at $KEY_PATH — skipping password auth disable to avoid lockout."