Add one-time SSH hardening notice after forced password change

systemd/pikit-first-login.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+# Install as /etc/profile.d/pikit-first-login.sh
+# Prints a one-time SSH hardening tip after the forced password change.
+
+FLAG="/var/lib/pikit/first-login.notice"
+
+case "$-" in
+  *i*) interactive=1 ;;
+  *) interactive=0 ;;
+esac
+
+if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ]; then
+  echo ""
+  echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
+  echo "  Example: ssh-keygen -t ed25519"
+  echo "           ssh-copy-id dietpi@pikit.local"
+  echo ""
+  rm -f "$FLAG" 2>/dev/null || true
+fi