diff --git a/etc/permission-hardening.d/25_default_whitelist_ssh.conf b/etc/permission-hardening.d/25_default_whitelist_ssh.conf
new file mode 100644
index 0000000..678b2f6
--- /dev/null
+++ b/etc/permission-hardening.d/25_default_whitelist_ssh.conf
@@ -0,0 +1,11 @@
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardening.d/20_user.conf" or
+## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## TODO: research
+ssh-agent matchwhitelist
+ssh-keysign matchwhitelist
+/lib/openssh matchwhitelist