diff --git a/SOURCES/ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch b/SOURCES/ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch
new file mode 100644
index 0000000..44ad400
--- /dev/null
+++ b/SOURCES/ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch
@@ -0,0 +1,97 @@
+From 478709d7c157a085e3b2fee432e24978a3485234 Mon Sep 17 00:00:00 2001
+From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Date: Wed, 20 Oct 2021 16:28:42 +0200
+Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions
+ (#1070)
+
+RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-MergeRequest: 32: cc_ssh.py: fix private key group owner and permissions (#1070)
+RH-Commit: [1/1] 0382c3f671ae0fa9cab23dfad1f636967b012148
+RH-Bugzilla: 2013644
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
+
+commit ee296ced9c0a61b1484d850b807c601bcd670ec1
+Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Date:   Tue Oct 19 21:32:10 2021 +0200
+
+    cc_ssh.py: fix private key group owner and permissions (#1070)
+
+    When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
+    in RHEL/CentOS/Fedora, openssh it performs the following:
+
+    # create new keys
+    if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
+            exit 1
+    fi
+
+    # sanitize permissions
+    /usr/bin/chgrp ssh_keys $KEY
+    /usr/bin/chmod 640 $KEY
+    /usr/bin/chmod 644 $KEY.pub
+    Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.
+
+    Now that we disable sshd-keygen to allow only cloud-init to create
+    them, we miss the "sanitize permissions" part, where we set the group
+    owner as ssh_keys and the private key mode to 640.
+
+    According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
+    to set group ownership and permissions like openssh does makes the RHEL openscap
+    tool generate an error.
+
+    Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com
+
+    RHBZ: 2013644
+
+Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+---
+ cloudinit/config/cc_ssh.py |  7 +++++++
+ cloudinit/util.py          | 14 ++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
+index 05a16dbc..4e986c55 100755
+--- a/cloudinit/config/cc_ssh.py
++++ b/cloudinit/config/cc_ssh.py
+@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):
+                 try:
+                     out, err = subp.subp(cmd, capture=True, env=lang_c)
+                     sys.stdout.write(util.decode_binary(out))
++
++                    gid = util.get_group_id("ssh_keys")
++                    if gid != -1:
++                        # perform same "sanitize permissions" as sshd-keygen
++                        os.chown(keyfile, -1, gid)
++                        os.chmod(keyfile, 0o640)
++                        os.chmod(keyfile + ".pub", 0o644)
+                 except subp.ProcessExecutionError as e:
+                     err = util.decode_binary(e.stderr).lower()
+                     if (e.exit_code == 1 and
+diff --git a/cloudinit/util.py b/cloudinit/util.py
+index 343976ad..fe37ae89 100644
+--- a/cloudinit/util.py
++++ b/cloudinit/util.py
+@@ -1831,6 +1831,20 @@ def chmod(path, mode):
+             os.chmod(path, real_mode)
+ 
+ 
++def get_group_id(grp_name: str) -> int:
++    """
++    Returns the group id of a group name, or -1 if no group exists
++
++    @param grp_name: the name of the group
++    """
++    gid = -1
++    try:
++        gid = grp.getgrnam(grp_name).gr_gid
++    except KeyError:
++        LOG.debug("Group %s is not a valid group name", grp_name)
++    return gid
++
++
+ def get_permissions(path: str) -> int:
+     """
+     Returns the octal permissions of the file/folder pointed by the path,
+-- 
+2.27.0
+
diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec
index 3d20d50..d625ef7 100644
--- a/SPECS/cloud-init.spec
+++ b/SPECS/cloud-init.spec
@@ -6,7 +6,7 @@
 
 Name:           cloud-init
 Version:        21.1
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Cloud instance init scripts
 
 Group:          System Environment/Base
@@ -36,6 +36,8 @@ Patch13: ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch
 Patch14: ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch
 # For bz#1862933 - cloud-init fails with ValueError: need more than 1 value to unpack[rhel-8]
 Patch15: ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch
+# For bz#2013644 - cloud-init fails to set host key permissions correctly
+Patch16: ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch
 
 BuildArch:      noarch
 
@@ -227,6 +229,11 @@ fi
 %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
 
 %changelog
+* Mon Oct 25 2021 Jon Maloy <jmaloy@redhat.com> - 21.1-9
+- ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch [bz#2013644]
+- Resolves: bz#2013644
+  (cloud-init fails to set host key permissions correctly)
+
 * Thu Sep 23 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-8
 - ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch [bz#1862933]
 - Resolves: bz#1862933