Add one-time SSH hardening notice after forced password change

docs/workflow.md

@@ -93,3 +93,4 @@ Use the helper:
 - Profiles are additive to the base image defaults; do not include Pi‑Kit or DietPi dashboard entries in profiles.
 - Keep `RESCUE.md` in `/root` and `/home/dietpi` only (not in `/var/www`).
 - Prep enforces a password change for `dietpi` on first login; set `PIKIT_FORCE_PASSWORD_CHANGE=0` to skip.
+- After the password change, a one‑time SSH hardening tip is shown on login.

pikit-prep.sh

@@ -210,9 +210,13 @@ prep_image() {
   # --- Default login ---
   if id -u dietpi >/dev/null 2>&1; then
     echo "dietpi:pikit" | chpasswd && status CLEANED "reset dietpi password" || status FAIL "reset dietpi password"
+    mkdir -p /var/lib/pikit
+    rm -f /var/lib/pikit/first-login.notice
     case "${PIKIT_FORCE_PASSWORD_CHANGE,,}" in
       1|true|yes|on)
         chage -d 0 dietpi && status CLEANED "force dietpi password change on next login" || status FAIL "force dietpi password change"
+        :> /var/lib/pikit/first-login.notice && chmod 644 /var/lib/pikit/first-login.notice \
+          && status CLEANED "first-login notice armed" || status FAIL "first-login notice"
         ;;
       *) ;;
     esac

systemd/pikit-first-login.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+# Install as /etc/profile.d/pikit-first-login.sh
+# Prints a one-time SSH hardening tip after the forced password change.
+
+FLAG="/var/lib/pikit/first-login.notice"
+
+case "$-" in
+  *i*) interactive=1 ;;
+  *) interactive=0 ;;
+esac
+
+if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ]; then
+  echo ""
+  echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
+  echo "  Example: ssh-keygen -t ed25519"
+  echo "           ssh-copy-id dietpi@pikit.local"
+  echo ""
+  rm -f "$FLAG" 2>/dev/null || true
+fi