diff --git a/lyrathorpe/home/shell.nix b/lyrathorpe/home/shell.nix
index 8d4bd9f..eae0552 100644
--- a/lyrathorpe/home/shell.nix
+++ b/lyrathorpe/home/shell.nix
@@ -245,9 +245,13 @@
         ControlPath = "~/.ssh/master-%r@%n:%p";
         ControlPersist = "no";
       }
-      # macOS: also cache the passphrase in the login keychain. UseKeychain is
-      # unknown to non-Apple openssh, so only emit it on Darwin.
+      # macOS: also cache the passphrase in the login keychain. UseKeychain
+      # exists only in Apple's ssh; nixpkgs' openssh (which may be the `ssh` on
+      # PATH) rejects it as "Bad configuration option". IgnoreUnknown (emitted
+      # first by the module) makes any non-Apple ssh skip it instead of erroring,
+      # while Apple's ssh still honours it. Darwin-only.
       // lib.optionalAttrs pkgs.stdenv.hostPlatform.isDarwin {
+        IgnoreUnknown = "UseKeychain";
         UseKeychain = "yes";
       };
       # Gitea remote (the flake's origin) -- required on every host. HostName