Could you post a full example of a command line ssh invocation using CyberArk?

From what i can tell, Net::OpenSSH uses the same "style" of connection string as the normal command line ssh. Which is to say only one "@" allowed, i think.

I don't know CyberArk, but it looks like you want to allow a server to play man-in-the-middle with your perfectly secure SSH connection?

This works from the command line

ssh me@admin@remote.host@cyberark.internal.com


    ******************************************************************
+*****
    * Access to this computer system is limited to authorised users on
+ly. *
    * Unauthorised users may be subject to prosecution under the Crime
+s   *
    *                       Act or State legislation                  
+    *
    *                                                                 
+    *
    *   Please note, ALL CUSTOMER DETAILS are confidential and must   
+    *
    *                          not be disclosed.                      
+    *
    ******************************************************************
+*****


me@admin@remote.host@cyberark.internal.com's password: 

This session is being recorded
IF YOU ARE NOT AN AUTHORIZED USER, PLEASE EXIT IMMEDIATELY

This system processes sensitive personal data. The misuse of such data
+ may
generate considerable harm to the data subjects. Be reminded of the
confidentiality obligations you have when accessing this kind of data 
+and
the disciplinary consequences of improper handling.
Last login: Thu Jun 23 03:35:31 2022 from 10.10.10.10
internal.node-admin@ :~>
[download]

It also works from putty if you put the me@..... in the hostname field I have put a primitive hack to get around the issue.

    if ( ( $target =~ tr/\@// ) < 2 )  {
    ($user, $passwd, $ipv6, $host, $port) =
        $target =~ m{^
                       \s*               # space
                       (?:
                         ([^:]+)         # username
                         (?::(.*))?      # : password
                         \@              # @
                       )?
                       (?:               # host
                          (              #   IPv6...
                            \[$IPv6_re(?:\%[^\[\]]*)\] #     [IPv6]
                            |            #     or
                            $IPv6_re     #     IPv6
                          )
                          |              #   or
                          ([^\[\]\@:]+)  #   hostname / ipv4
                       )
                       (?::([^\@:]+))?   # port
                       \s*               # space
                     $}ix
                or croak "bad host/target '$target' specification";
    } else {

        $host = $target;
    }
[download]

My test script now returns   
# io3 fast, cin: 0, cout: 1, cerr: 0
# stdout, bytes read: 26 at offset 0
#> 4d 61 73 74 65 72 20 72 75 6e 6e 69 6e 67 20 28 70 69 64 3d 34 30 3
+4 29 0d 0a                   | Master running (pid=404)..
# io3 fast, cin: 0, cout: 1, cerr: 0
# stdout, bytes read: 0 at offset 26
# leaving _io3()
# _waitpid(407) => pid: 407, rc: 0, err:
main::(./ark-config.pl:142):    say "Logged into Node";
  DB<1>
[download]

But my capture is not working my @out = $ssh->capture( { stdin_discard => 1, stderr_to_stdout => 1 }, $cmd );

In order to avoid the incorrect parsing of the target argument you can call Net::OpenSSH (unmodified) constructor as follows:

$ssh = Net::OpenSSH->new('cyberark.internal.com',
                         user => 'me@admin@remote.host',
                         ...)
[download]

Regarding the capture issue, well, you would have to show us the complete script and debugging output, otherwise it is impossible to know what is going on.

Also, I don't know how CyberArk does its magic. Maybe it sets a wrapper for the real OpenSSH ssh command, and that may interfere with some of the more advanced usages of the command as the ones required by Net::OpenSSH.