···11+# SSH client config.
22+#
33+# Private keys live in 1Password; its agent serves them (IdentityAgent below).
44+# Each host pins ONE key by its PUBLIC half via IdentitiesOnly + IdentityFile,
55+# so a connection offers only the right key -- no "too many authentication
66+# failures" from the agent dumping every key. The .pub files stay on disk
77+# (public keys aren't secret); the private keys do not.
88+#
99+# ssh resolves each option first-match-wins, so specific hosts MUST come before
1010+# `Host *` (which only supplies the shared IdentityAgent).
1111+1212+Host github.com
1313+ User git
1414+ IdentitiesOnly yes
1515+ IdentityFile ~/.ssh/id_ed25519.pub
1616+1717+Host knot.jni.codes
1818+ IdentitiesOnly yes
1919+ IdentityFile ~/.ssh/id_ed25519.pub
2020+2121+Host codeberg.org
2222+ User git
2323+ IdentitiesOnly yes
2424+ IdentityFile ~/.ssh/codeberg.pub
2525+2626+Host *
2727+ IdentityAgent ~/.1password/agent.sock