It seems the suggested workaround does not work with the actual executable name "nc.openbsd":
~ $ which ssh /usr/bin/ssh ~ $ cat ~/.ssh/config Host testserver Hostname aasdfasdfasdfkfshd.onion ~ $ firejail --noblacklist=/bin/nc.openbsd ssh \ -oProxyCommand="/bin/nc.openbsd -x 127.0.0.1:9050 %h %p" testserver /bin/bash: /bin/nc.openbsd: Permission denied /bin/bash: line 0: exec: /bin/nc.openbsd: cannot execute: Permission denied ssh_exchange_identification: Connection closed by remote host These work: firejail --noblacklist='${PATH}/nc' --noblacklist=/bin/nc.openbsd ssh \ -oProxyCommand="/bin/nc.openbsd -x 127.0.0.1:9050 %h %p" testserver firejail --noblacklist='${PATH}/nc' ssh \ -oProxyCommand="nc --x 127.0.0.1:9050 %h %p" testserver This is confusing, but perhaps required. You can close this issue if you think that's appropriate.