How does ssh ProxyCommand actually work?
Solution 1:
3) A netcat tunnel is created from bastion.com to port 22 of final.com.
false, there's no netcat.
1) The user enters ssh final
on localhost. This launches the parent ssh process
2) The parent ssh creates a child ssh with I/O redirected to pipes
3) The child ssh creates a connection to bastion.com.
4) The sshd
process on bastion.com creates a tcp connection to final.com:22
5) An ssh channel is added to existing ssh connection between localhost and bastion.com
6) Parent ssh writes the handshake data to the pipe, the child ssh reads it from the pipe, sends via the ssh channel to sshd on bastion.com; sshd reads it and writes it to the socket connected to final.com. Similarly, the data is transmitted from final.com to localhost