diff --git a/backport-Fix-permission-of-SSH-host-keys-1971.patch b/backport-Fix-permission-of-SSH-host-keys-1971.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2f08364078cfdfe04cf44dce63da1a885543c279
--- /dev/null
+++ b/backport-Fix-permission-of-SSH-host-keys-1971.patch
@@ -0,0 +1,60 @@
+From 94a00492b11995dd9278605eb29ee4b096ce3a90 Mon Sep 17 00:00:00 2001
+From: Ron Gebauer <Mazorius@users.noreply.github.com>
+Date: Wed, 25 Jan 2023 22:40:32 +0100
+Subject: [PATCH] Fix permission of SSH host keys (#1971)
+
+If the host-keys are provided the private key permissions have 0600
+which is indeed correct. But the public key has 0600 which should
+instead be 0644.
+
+With this change the public key is always 0644 and the private key
+is 0600 if provided or 640 if generated (to match sshd-keygen
+functionality).
+---
+ cloudinit/config/cc_ssh.py            | 4 ++--
+ tests/unittests/config/test_cc_ssh.py | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
+index 33c1fd0..6210627 100644
+--- a/cloudinit/config/cc_ssh.py
++++ b/cloudinit/config/cc_ssh.py
+@@ -185,8 +185,8 @@ for k in GENERATE_KEY_NAMES:
+     CONFIG_KEY_TO_FILE.update(
+         {
+             f"{k}_private": (KEY_FILE_TPL % k, 0o600),
+-            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),
+-            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600),
++            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644),
++            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644),
+         }
+     )
+     PRIV_TO_PUB[f"{k}_private"] = f"{k}_public"
+diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
+index 47c0c77..c41a50b 100644
+--- a/tests/unittests/config/test_cc_ssh.py
++++ b/tests/unittests/config/test_cc_ssh.py
+@@ -311,17 +311,17 @@ class TestHandleSsh:
+                     mock.call(
+                         "/etc/ssh/ssh_host_{}_key".format(key_type),
+                         private_value,
+-                        384,
++                        0o600,
+                     ),
+                     mock.call(
+                         "/etc/ssh/ssh_host_{}_key.pub".format(key_type),
+                         public_value,
+-                        384,
++                        0o644,
+                     ),
+                     mock.call(
+                         "/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type),
+                         cert_value,
+-                        384,
++                        0o644,
+                     ),
+                     mock.call(
+                         "/etc/ssh/sshd_config",
+-- 
+2.39.1
+
diff --git a/cloud-init.spec b/cloud-init.spec
index f683a3a9dab2807ceb76a842a52377b7017cc1e1..5c85efefc6cbf9e5d91c4ec70dd7e6ed710ae41e 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 22.2
-Release: 5
+Release: 6
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -13,6 +13,9 @@ Patch1: bugfix-cloud-init-add-os-support.patch
 Patch2: bugfix-sort-requirements.patch
 Patch3: add-variable-to-forbid-tmp-dir.patch
 Patch4: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
+Patch5: backport-Fix-permission-of-SSH-host-keys-1971.patch
+
+Patch9000:     fix-permission-of-the-private-key.patch
 
 BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
 BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
@@ -127,6 +130,9 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Tue Mar 14 2023 shixuantong <shixuantong1@huawei.com> - 22.2-6
+- Fix permission of SSH host keys
+
 * Thu Feb 02 2023 shixuantong <shixuantong1@huawei.com> - 22.2-5
 - revert make the same authentication behavior for arm and x86 machine
 
diff --git a/fix-permission-of-the-private-key.patch b/fix-permission-of-the-private-key.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8f0cb23b7b72c623c51d80655fa9a049f852bfd3
--- /dev/null
+++ b/fix-permission-of-the-private-key.patch
@@ -0,0 +1,25 @@
+From ef18ff5a437e9abe91c81289157a4e846169736a Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong1@huawei.com>
+Date: Tue, 14 Mar 2023 07:38:03 +0000
+Subject: [PATCH] fix permission of the private key
+
+---
+ cloudinit/config/cc_ssh.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
+index 6210627..bc4a158 100644
+--- a/cloudinit/config/cc_ssh.py
++++ b/cloudinit/config/cc_ssh.py
+@@ -274,7 +274,7 @@ def handle(_name, cfg, cloud: Cloud, log: Logger, _args):
+                     if gid != -1:
+                         # perform same "sanitize permissions" as sshd-keygen
+                         os.chown(keyfile, -1, gid)
+-                        os.chmod(keyfile, 0o640)
++                        os.chmod(keyfile, 0o600)
+                         os.chmod(keyfile + ".pub", 0o644)
+                 except subp.ProcessExecutionError as e:
+                     err = util.decode_binary(e.stderr).lower()
+-- 
+2.39.1
+