#!/usr/bin/env sh
# Install as /etc/profile.d/pikit-first-login.sh
# Prints a one-time SSH hardening tip after the forced password change.

FLAG="/var/lib/pikit/first-login.notice"

case "$-" in
  *i*) interactive=1 ;;
  *) interactive=0 ;;
esac

if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ]; then
  echo ""
  echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
  echo "  Example: ssh-keygen -t ed25519"
  echo "           ssh-copy-id dietpi@pikit.local"
  echo ""
  rm -f "$FLAG" 2>/dev/null || true
fi