From b91b10552c0d8ec3eb8ddc738869b1ba5ff407bc Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 25 Mar 2026 12:59:40 -0400
Subject: [PATCH] EL10 doesn't do setgid keysign

chmod 600 instead
---
 .../el10-diskless/profiles/default/scripts/imageboot.sh         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/confluent_osdeploy/el10-diskless/profiles/default/scripts/imageboot.sh b/confluent_osdeploy/el10-diskless/profiles/default/scripts/imageboot.sh
index d6880ff4..df34883d 100644
--- a/confluent_osdeploy/el10-diskless/profiles/default/scripts/imageboot.sh
+++ b/confluent_osdeploy/el10-diskless/profiles/default/scripts/imageboot.sh
@@ -142,7 +142,7 @@ echo '    EnableSSHKeysign yes' >> $sshconf
 echo '    HostbasedKeyTypes *ed25519*' >> $sshconf
 curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" https://$confluent_whost/confluent-api/self/nodelist > /sysroot/etc/ssh/shosts.equiv
 cp /sysroot/etc/ssh/shosts.equiv /sysroot/root/.shosts
-chmod 640 /sysroot/etc/ssh/*_key
+chmod 600 /sysroot/etc/ssh/*_key
 cp /tls/*.pem /sysroot/etc/pki/ca-trust/source/anchors/
 chroot /sysroot/ update-ca-trust
 curl -sf https://$confluent_whost/confluent-public/os/$confluent_profile/scripts/onboot.service > /sysroot/etc/systemd/system/onboot.service