diff --git a/system/machine/EDaaS/configuration.nix b/system/machine/EDaaS/configuration.nix
index e1a27f5..3136a89 100644
--- a/system/machine/EDaaS/configuration.nix
+++ b/system/machine/EDaaS/configuration.nix
@@ -42,6 +42,15 @@
 
   networking.resolvconf.enable = false;
 
+  # Drop the systemd-ssh-proxy Include from the generated /etc/ssh/ssh_config.
+  # The NixOS-WSL store is a read-only VHD whose files are owned by nobody
+  # (65534), not root. OpenSSH permission-checks Include'd config files and
+  # rejects any not owned by root or the caller, so the default include fails
+  # with "Bad owner or permissions" and breaks ssh/git for every command. The
+  # proxy plugin only matters for `ssh unix/…` / `vsock` to local machined VMs,
+  # which WSL does not use.
+  programs.ssh.systemd-ssh-proxy.enable = false;
+
   ## patch the script
   systemd.services.docker-desktop-proxy.script = lib.mkForce ''${config.wsl.wslConf.automount.root}/wsl/docker-desktop/docker-desktop-user-distro proxy --docker-desktop-root ${config.wsl.wslConf.automount.root}/wsl/docker-desktop "C:\Program Files\Docker\Docker\resources"'';