diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
index 767cd08..2b55bd2 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@@ -8,14 +8,9 @@
 ## Used for SSH client key management
 ## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
 ## Debian installs ssh-agent with setgid permissions (2755) and with
-## _ssh as the group to prevent ptrace attacks that could extract
-## private keys from the agent's memory. However, as Kicksecure makes use
-## of kernel.yama.ptrace_scope=2 by default, this is not a concern.
-##
-## ssh-agent is often run under non-root users, so 755 permissions make
-## sense here to avoid breakage.
-/usr/bin/ssh-agent exactwhitelist
-/usr/bin/ssh-agent 755 root root
+## _ssh as the group to help mitigate ptrace attacks that could extract
+## private keys from the agent's memory.
+ssh-agent matchwhitelist
 
 ## Used only for SSH host-based authentication
 ## https://linux.die.net/man/8/ssh-keysign