diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
index 5415197..767cd08 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@@ -14,6 +14,7 @@
 ##
 ## ssh-agent is often run under non-root users, so 755 permissions make
 ## sense here to avoid breakage.
+/usr/bin/ssh-agent exactwhitelist
 /usr/bin/ssh-agent 755 root root
 
 ## Used only for SSH host-based authentication