diff --git a/openssh-7.4p1-pkcs11-whitelist.patch b/openssh-7.4p1-pkcs11-whitelist.patch
new file mode 100644
index 0000000..36b4232
--- /dev/null
+++ b/openssh-7.4p1-pkcs11-whitelist.patch
@@ -0,0 +1,24 @@
+diff -up openssh-7.4p1/ssh-agent.1.pkcs11-whitelist openssh-7.4p1/ssh-agent.1
+--- openssh-7.4p1/ssh-agent.1.pkcs11-whitelist	2017-01-03 10:41:01.916331710 +0100
++++ openssh-7.4p1/ssh-agent.1	2017-01-03 10:40:06.549366029 +0100
+@@ -129,7 +129,7 @@ that may be added using the
+ option to
+ .Xr ssh-add 1 .
+ The default is to allow loading PKCS#11 libraries from
+-.Dq /usr/lib/*,/usr/local/lib/* .
++.Dq /usr/lib*/*,/usr/local/lib*/* .
+ PKCS#11 libraries that do not match the whitelist will be refused.
+ See PATTERNS in
+ .Xr ssh_config 5
+diff -up openssh-7.4p1/ssh-agent.c.pkcs11-whitelist openssh-7.4p1/ssh-agent.c
+--- openssh-7.4p1/ssh-agent.c.pkcs11-whitelist	2017-01-03 10:41:09.324327118 +0100
++++ openssh-7.4p1/ssh-agent.c	2017-01-03 10:40:21.212356939 +0100
+@@ -89,7 +89,7 @@
+ #endif
+ 
+ #ifndef DEFAULT_PKCS11_WHITELIST
+-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
++# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
+ #endif
+ 
+ typedef enum {
diff --git a/openssh.spec b/openssh.spec
index e45950c..718f604 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -227,6 +227,8 @@ Patch942: openssh-7.2p2-chroot-capabilities.patch
 Patch944: openssh-7.3p1-x11-max-displays.patch
 # Temporary workaround for upstream (#2641)
 Patch945: openssh-7.4p1-daemon.patch
+# Whitelist /usr/lib*/ as planed upstream to prevent breakage
+Patch946: openssh-7.4p1-pkcs11-whitelist.patch
 
 
 License: BSD
@@ -461,6 +463,7 @@ popd
 %patch942 -p1 -b .chroot-cap
 %patch944 -p1 -b .x11max
 %patch945 -p1 -b .daemon
+%patch946 -p1 -b .pkcs11-whitelist
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race