diff --git a/openssh.spec b/openssh.spec
index da91ad96cc1037f2c113a18bdae5f8c3105c1f20..2e06ed9e6f703bc8b3a02f9378974fc8b8519733 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -604,7 +604,7 @@ popd
 %generate_compatibility_deps
 
 %pre server
-%sysusers_create_compat %{SOURCE20}
+%sysusers_create_compat %{SOURCE19}
 # We want to remove group ownership for standard host keys if they exist
 test -f /etc/ssh/ssh_host_rsa_key     && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key     || :
 test -f /etc/ssh/ssh_host_ecdsa_key   && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key   || :
@@ -721,6 +721,7 @@ test -f %{sysconfig_anaconda} && \
 %changelog
 * Mon Feb 20 2023 Funda Wang <fundawang@yeah.net> - 9.0p1-3
 - Enable libfido2 support
+- bugfix the ssh_keys not exist in /etc/group
 
 * Fri Feb 17 2023 Funda Wang <fundawang@yeah.net> - 9.0p1-2
 - Add switch for libfido2 support
diff --git a/sshd-keygen b/sshd-keygen
index 141814c5947c179a2e8337be7ca1012d23e8d01c..170ada07a9d0f48a49dd00405fb8509ef1b5678b 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -30,8 +30,7 @@ if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
 fi
 
 # sanitize permissions
-/usr/bin/chgrp ssh_keys $KEY
-/usr/bin/chmod 640 $KEY
+/usr/bin/chmod 600 $KEY
 /usr/bin/chmod 644 $KEY.pub
 if [[ -x /usr/sbin/restorecon ]]; then
 	/usr/sbin/restorecon $KEY{,.pub}