3 files changed, 9 insertions, 1 deletions

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index ae84ee38a..f3d685d18 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -458,7 +458,7 @@ blacklist /sbin
 blacklist /usr/local/sbin
 blacklist /usr/sbin
 
-# system management
+# system management and various SUID executables
 blacklist ${PATH}/at
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
@@ -493,6 +493,12 @@ blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
+blacklist /usr/lib/openssh/ssh-keysign
+blacklist ${PATH}/passwd
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+blacklist /usr/lib/eject/dmcrypt-get-device
 
 # other SUID binaries
 blacklist /usr/lib/virtualbox
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 11723664f..9d3fe9637 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -11,6 +11,7 @@ include allow-ssh.inc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+noblacklist /usr/lib/openssh/ssh-keysign
 
 include disable-common.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 9295013e7..194b2082c 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -10,6 +10,7 @@ include globals.local
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
 noblacklist ${PATH}/ncat
+noblacklist /usr/lib/openssh/ssh-keysign
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc