SSH settings use ssh/config.d/ fragments with SSH's native Include directive. See doc/architecture.md and ADR 0024.
| File | Versioned | Purpose |
|---|---|---|
ssh/config.d/auth |
yes | Host * 1Password IdentityAgent |
ssh/config.d/term |
yes | Host * default TERM=xterm-256color |
~/.ssh/config.d/hosts |
no (gitignored) | per-host overrides |
~/.ssh/config.d/colima |
no (gitignored) | generated by sshconfig.sh if colima installed |
Add a per-host TERM override:
- Check what's available on the remote:
toe -a | grep xterm-direct - Add a
Hostblock to~/.ssh/config.d/hosts:Host example.com SetEnv TERM=xterm-direct
Re-run setup after changes:
./sshconfig.shHost * in ssh/config.d/auth points at the 1Password agent. By default 1Password offers every key in the unlocked vault. Per-role allowlists live at config/1password/agent.toml.<role> and are symlinked to ~/.config/1Password/ssh/agent.toml by sshconfig.sh based on $DOTPICKLES_ROLE. See ADR 0033.
To check what 1Password is currently offering:
SSH_AUTH_SOCK="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ssh-add -l- Edit
ssh/config.d/authandssh/config.d/termfor versioned changes - Never edit
~/.ssh/configdirectly -- it's managed bysshconfig.sh ~/.ssh/config.d/hostsis machine-local and gitignored; recreate it per machine- Never edit
~/.config/1Password/ssh/agent.tomldirectly -- editconfig/1password/agent.toml.<role>instead