diff --git a/changelogs/fragments/fix-create-directory-permissions.yml b/changelogs/fragments/fix-create-directory-permissions.yml
new file mode 100644
index 00000000000..b61cdb40cea
--- /dev/null
+++ b/changelogs/fragments/fix-create-directory-permissions.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - Create ~/.ssh/ with a specific permissions for security if it's not exist (https://github.com/ansible/ansible/issues/84286)
+  - Optimize code for _save_ssh_host_keys() in paramiko_ssh.py to reduce duplicate code
\ No newline at end of file
diff --git a/lib/ansible/plugins/connection/paramiko_ssh.py b/lib/ansible/plugins/connection/paramiko_ssh.py
index 239c1bdd5f8..b27d42482ab 100644
--- a/lib/ansible/plugins/connection/paramiko_ssh.py
+++ b/lib/ansible/plugins/connection/paramiko_ssh.py
@@ -605,25 +605,26 @@ class Connection(ConnectionBase):
             return
 
         path = os.path.expanduser("~/.ssh")
-        makedirs_safe(path)
+        makedirs_safe(path, mode=0o700)
 
         with open(filename, 'w') as f:
 
+            keys_added_by_ansible = []
             for hostname, keys in self.ssh._host_keys.items():
 
                 for keytype, key in keys.items():
 
                     # was f.write
                     added_this_time = getattr(key, '_added_by_ansible_this_time', False)
+                    line_data = (hostname, keytype, key.get_base64())
                     if not added_this_time:
-                        f.write("%s %s %s\n" % (hostname, keytype, key.get_base64()))
+                        f.write("%s %s %s\n" % line_data)
+                    else:
+                        keys_added_by_ansible.append(line_data)
 
-            for hostname, keys in self.ssh._host_keys.items():
+            for line_data in keys_added_by_ansible:
 
-                for keytype, key in keys.items():
-                    added_this_time = getattr(key, '_added_by_ansible_this_time', False)
-                    if added_this_time:
-                        f.write("%s %s %s\n" % (hostname, keytype, key.get_base64()))
+                f.write("%s %s %s\n" % line_data)
 
     def reset(self) -> None:
         if not self._connected:
@@ -650,7 +651,7 @@ class Connection(ConnectionBase):
             # that are starting up.)
             lockfile = self.keyfile.replace("known_hosts", ".known_hosts.lock")
             dirname = os.path.dirname(self.keyfile)
-            makedirs_safe(dirname)
+            makedirs_safe(dirname, mode=0o700)
 
             KEY_LOCK = open(lockfile, 'w')
             fcntl.lockf(KEY_LOCK, fcntl.LOCK_EX)