diff --git a/openssh-8.7p1-sftp-default-protocol.patch b/openssh-8.7p1-sftp-default-protocol.patch
deleted file mode 100644
index 9c431cc..0000000
--- a/openssh-8.7p1-sftp-default-protocol.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-diff --git a/scp.1 b/scp.1
-index 68aac04b..a96e95ad 100644
---- a/scp.1
-+++ b/scp.1
-@@ -8,9 +8,9 @@
- .\"
- .\" Created: Sun May  7 00:14:37 1995 ylo
- .\"
--.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
-+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
- .\"
--.Dd $Mdocdate: August 11 2021 $
-+.Dd $Mdocdate: September 8 2021 $
- .Dt SCP 1
- .Os
- .Sh NAME
-@@ -18,7 +18,7 @@
- .Nd OpenSSH secure file copy
- .Sh SYNOPSIS
- .Nm scp
--.Op Fl 346ABCOpqRrsTv
-+.Op Fl 346ABCOpqRrTv
- .Op Fl c Ar cipher
- .Op Fl D Ar sftp_server_path
- .Op Fl F Ar ssh_config
-@@ -37,9 +37,6 @@ It uses
- .Xr ssh 1
- for data transfer, and uses the same authentication and provides the
- same security as a login session.
--The scp protocol requires execution of the remote user's shell to perform
--.Xr glob 3
--pattern matching.
- .Pp
- .Nm
- will ask for passwords or passphrases if they are needed for
-@@ -79,7 +76,9 @@ The options are as follows:
- Copies between two remote hosts are transferred through the local host.
- Without this option the data is copied directly between the two remote
- hosts.
--Note that, when using the legacy SCP protocol (the default), this option
-+Note that, when using the legacy SCP protocol (via the
-+.Fl O
-+flag), this option
- selects batch mode for the second host as
- .Nm
- cannot ask for passwords or passphrases for both hosts.
-@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
- .It Fl O
- Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
- Forcing the use of the SCP protocol may be necessary for servers that do
--not implement SFTP or for backwards-compatibility for particular filename
--wildcard patterns.
--This mode is the default.
-+not implement SFTP, for backwards-compatibility for particular filename
-+wildcard patterns and for expanding paths with a
-+.Sq ~
-+prefix for older SFTP servers.
- .It Fl o Ar ssh_option
- Can be used to pass options to
- .Nm ssh
-@@ -258,16 +258,6 @@ to use for the encrypted connection.
- The program must understand
- .Xr ssh 1
- options.
--.It Fl s
--Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
--Using SFTP avoids invoking a shell on the remote side and provides
--more predictable filename handling, as the SCP protocol
--relied on the remote shell for expanding
--.Xr glob 3
--wildcards.
--.Pp
--A near-future release of OpenSSH will make the SFTP protocol the default.
--This option will be deleted before the end of 2022.
- .It Fl T
- Disable strict filename checking.
- By default when copying files from a remote host to a local directory
-@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems.
- .Xr ssh_config 5 ,
- .Xr sftp-server 8 ,
- .Xr sshd 8
-+.Sh CAVEATS
-+The original scp protocol (selected by the
-+.Fl O
-+flag) requires execution of the remote user's shell to perform
-+.Xr glob 3
-+pattern matching.
-+This requires careful quoting of any characters that have special meaning to
-+the remote shell, such as quote characters.
- .Sh HISTORY
- .Nm
- is based on the rcp program in
- .Bx
- source code from the Regents of the University of California.
-+.Pp
-+Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
-+.Nm
-+has use the SFTP protocol for transfers by default.
- .Sh AUTHORS
- .An Timo Rinne Aq Mt tri@iki.fi
- .An Tatu Ylonen Aq Mt ylo@cs.hut.fi
-diff --git a/scp.c b/scp.c
-index e039350c..c7cf7529 100644
---- a/scp.c
-+++ b/scp.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: scp.c,v 1.239 2021/09/20 06:53:56 djm Exp $ */
-+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
- /*
-  * scp - secure remote copy.  This is basically patched BSD rcp which
-  * uses ssh to do the data transfer (instead of using rcmd).
-@@ -448,7 +448,7 @@ main(int argc, char **argv)
- 	const char *errstr;
- 	extern char *optarg;
- 	extern int optind;
--	enum scp_mode_e mode = MODE_SCP;
-+	enum scp_mode_e mode = MODE_SFTP;
- 	char *sftp_direct = NULL;
- 
- 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-@@ -1983,7 +1983,7 @@ void
- usage(void)
- {
- 	(void) fprintf(stderr,
--	    "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
-+	    "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
- 	    "           [-i identity_file] [-J destination] [-l limit]\n"
- 	    "           [-o ssh_option] [-P port] [-S program] source ... target\n");
- 	exit(1);
diff --git a/sshd-keygen b/sshd-keygen
index 141814c..efd876c 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -31,8 +31,8 @@ fi
 
 # sanitize permissions
 /usr/bin/chgrp ssh_keys $KEY
-/usr/bin/chmod 640 $KEY
-/usr/bin/chmod 644 $KEY.pub
+/usr/bin/chmod 400 $KEY
+/usr/bin/chmod 400 $KEY.pub
 if [[ -x /usr/sbin/restorecon ]]; then
 	/usr/sbin/restorecon $KEY{,.pub}
 fi