diff --git a/scripts/setup-ssh.sh b/scripts/setup-ssh.sh
index b22b85b..790b247 100755
--- a/scripts/setup-ssh.sh
+++ b/scripts/setup-ssh.sh
@@ -4,10 +4,11 @@
 #
 # This script:
 #   1. Creates a `cli` system user with /usr/local/bin/toes as shell
-#   2. Sets an empty password on `cli` for passwordless SSH
-#   3. Adds a Match block in sshd_config to allow empty passwords for `cli`
-#   4. Adds /usr/local/bin/toes to /etc/shells
-#   5. Restarts sshd
+#   2. Suppresses login banner via .hushlogin
+#   3. Sets an empty password on `cli` for passwordless SSH
+#   4. Adds a Match block in sshd_config to allow empty passwords for `cli`
+#   5. Adds /usr/local/bin/toes to /etc/shells
+#   6. Restarts sshd
 #
 # Run as root on the toes machine.
 # Usage: ssh cli@toes.local
@@ -27,11 +28,16 @@ else
   echo "  cli user already exists"
 fi
 
-# 2. Set empty password
+# 2. Suppress login banner (MOTD, last login, etc.)
+touch /home/cli/.hushlogin
+chown cli:cli /home/cli/.hushlogin 2>/dev/null || true
+echo "  Created .hushlogin"
+
+# 3. Set empty password
 passwd -d cli
 echo "  Set empty password on cli"
 
-# 3. Add Match block for cli user in sshd_config
+# 4. Add Match block for cli user in sshd_config
 if ! grep -q 'Match User cli' "$SSHD_CONFIG"; then
   cat >> "$SSHD_CONFIG" <<EOF
 
@@ -44,7 +50,7 @@ else
   echo "  sshd_config already has Match User cli block"
 fi
 
-# 4. Ensure /usr/local/bin/toes is in /etc/shells
+# 5. Ensure /usr/local/bin/toes is in /etc/shells
 if ! grep -q "^${TOES_SHELL}$" /etc/shells; then
   echo "$TOES_SHELL" >> /etc/shells
   echo "  Added $TOES_SHELL to /etc/shells"
@@ -58,7 +64,7 @@ if [ ! -f "$TOES_SHELL" ]; then
   echo "  Create it with: ln -sf /path/to/toes/cli $TOES_SHELL"
 fi
 
-# 5. Restart sshd
+# 6. Restart sshd
 echo "  Restarting sshd..."
 systemctl restart sshd || service ssh restart || true