--- a/cli-main.c	Sun Feb 18 11:22:13 2018 +0800
+++ b/cli-main.c	Sun Feb 18 15:12:15 2018 +0800
@@ -158,6 +158,21 @@
 	size_t ex_cmdlen;
 	int ret;
 
+	/* File descriptor "-j &3" */
+	if (*cli_opts.proxycmd == '&') {
+		char *p = cli_opts.proxycmd + 1;
+		int sock = strtoul(p, &p, 10);
+		/* must be a single number, and not stdin/stdout/stderr */
+		if (sock > 2 && sock < 1024 && *p == '\0') {
+			*sock_in = sock;
+			*sock_out = sock;
+			return;
+		}
+	}
+
+	/* Normal proxycommand */
+
+	/* So that spawn_command knows which shell to run */
 	fill_passwd(cli_opts.own_user);
 
 	ex_cmdlen = strlen(cli_opts.proxycmd) + 6; /* "exec " + command + '\0' */

--- a/dbclient.1	Sun Feb 18 11:22:13 2018 +0800
+++ b/dbclient.1	Sun Feb 18 15:12:15 2018 +0800
@@ -111,11 +111,22 @@
 .B \-I \fIidle_timeout
 Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
 .TP
+
+.\" TODO: how to avoid a line break between these two -J arguments?
 .B \-J \fIproxy_command
+.TP
+.B \-J \fI&fd
+.br
 Use the standard input/output of the program \fIproxy_command\fR rather than using
 a normal TCP connection. A hostname should be still be provided, as this is used for
 comparing saved hostkeys. This command will be executed as "exec proxy_command ..." with the
 default shell.
+
+The second form &fd will make dbclient use the numeric file descriptor as a socket. This
+can be used for more complex tunnelling scenarios. Example usage with socat is
+
+socat EXEC:'dbclient -J &38 ev',fdin=38,fdout=38 TCP4:host.example.com:22
+
 .TP
 .B \-B \fIendhost:endport
 "Netcat-alike" mode, where Dropbear will connect to the given host, then create a