Enhance setup script to check for existing sysadmin user password and change it if set to default. Disable SSH login for sysadmin and lock the sysadmin password for improved security during setup.

setup.sh

@@ -323,6 +323,17 @@ create_sysadmin_user() {
     if id "$SYSADMIN_USER" &>/dev/null; then
         warn "User $SYSADMIN_USER already exists, skipping creation"
         SYSADMIN_USER_CREATED="no"
+        
+        # Check if the existing user has the default password "hhh"
+        if echo "hhh" | su - "$SYSADMIN_USER" -c "exit" 2>/dev/null; then
+            warn "User $SYSADMIN_USER has default password 'hhh', changing to random password"
+            local random_password=$(openssl rand -base64 12)
+            echo "$SYSADMIN_USER:$random_password" | chpasswd
+            echo "=========================================="
+            echo "NEW PASSWORD for $SYSADMIN_USER: $random_password"
+            echo "=========================================="
+            log "Password changed for existing user $SYSADMIN_USER"
+        fi
     else
         # Create user with home directory
         useradd -m -s /bin/bash "$SYSADMIN_USER"
@@ -399,6 +410,10 @@ configure_security() {
     sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
     sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
     
+    # Disable sysadmin SSH login
+    log "Disabling sysadmin SSH login..."
+    echo "DenyUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
+    
     # Configure SSH settings
     log "Applying SSH security settings..."
     
@@ -440,6 +455,10 @@ configure_security() {
     log "Locking root password..."
     passwd -l root
     
+    # Lock sysadmin password
+    log "Locking sysadmin password..."
+    passwd -l "$SYSADMIN_USER"
+    
     # Configure firewall if requested
     if [[ "$USE_UFW" == "yes" ]]; then
         configure_ufw