9

Often I have seen ssh commands like:

ssh user1@user2@<one-ip-address>@<second-ip-address

First I thought this is to ssh through another server. But several questions and examples like How do I SSH to machine A via B in one command? gives better solutions for server through ssh.

So, my question is what kind of scenarios we have to use the above kind of ssh commands. What is the destination of the ssh command?

Eliah Kagan
  • 117,780
Vikum Dheemantha
  • 59
  • 3
    "Often"? Can you show as an example somewhere? Because as far as ssh is concerned, everything before the last @ is just the username. – muru Jul 20 '20 at 10:04
  • @muru maybe using "often" is not valid in globally. But I have seen this in lots of scenarios in my working place. But I could not found the proper reson. – Vikum Dheemantha Jul 20 '20 at 11:53
  • 1
    @VikumDheemantha and you're certain it was user1@user2@ip1@ip2? Not user1@domain1@ip2? – muru Jul 20 '20 at 12:07
  • i have never seen that. – pLumo Jul 20 '20 at 13:18
  • 1
    @muru yes. There are 2 users, entire command contain 3 '@' symbols. – Vikum Dheemantha Jul 20 '20 at 14:08
  • Then your company configuration is probably parsing the username at the server for some reason. That's something only your company can tell you why. – muru Jul 20 '20 at 14:22
  • @muru so what you mean is that there is no common scenario that uses SSH like this. – Vikum Dheemantha Jul 20 '20 at 14:32
  • 1
    I know of user@domain@hostname, which is for AD domain users, but I don't think I have ever seen user1@ip1@user2@ip2. – muru Jul 20 '20 at 14:39
  • @muru actually it is not user1@ip1@user2@ip2 as you mentioned in the comment. it is user1@user2@ip1@ip2 even in user@domain@hostname structure IP addresses are useless, as I think. – Vikum Dheemantha Jul 20 '20 at 14:44
  • 1
    Never seen that either. hostname could be IP in user@domain@hostname, hence the relevance. – muru Jul 20 '20 at 14:45
  • 4
    @VikumDheemantha You said you have often seen this command. Since none of us have ever seen this can you post the link or reference where this exact command was used. – White Mars Aug 10 '20 at 11:37
  • 1
    There being "better solutions" doesn't mean that SSH can't do something else: I think you might be talking about ProxyJump (see eg Section 6 on ProxyJump here), which is mentioned on the page you link ? – pbhj Aug 11 '20 at 02:51
  • 1
    @pbhj it seams proxy jump is the answer. So, can you add here it as an answer? So I can spend my bounty properly. – Vikum Dheemantha Aug 11 '20 at 04:49
  • You insisted that the entire command contained 3 @s. What was the actual command then? – muru Aug 21 '20 at 03:27

2 Answers2

3

There's an SSH feature called ProxyJump:

ssh -J user1@proxy.server1.tld:port1,user2@proxy.server2.tld:port2 user@yourserver.tld

which sounds like what you're referring to.

More information on this in eg Section 6 on ProxyJump here or this page on ProxyJump from RedHat. In particular note that there are alternative formats, eg when the user:passwd are the same on each host (don't do that!). You can also put the info into a config file to avoid typing it out each time (though history is useful there).

Finally there are other ways to achieve the same thing, in SSH: -o proxycommand=, and -q -W (the later explained here on ExplainShell).

pbhj
  • 3,231
3

As many of the comments suggest, the syntax ssh user1@user2@<one-ip-address>@<second-ip-address does not lead to a useful ssh behavior and it has nothing to do with the jump host function.

Try the following:

  • On any system, connect with your current user to localhost:

    $ ssh localuser@localhost

    This will, as expected, open a ssh session on localhost

  • Now try the same with the proposed syntax:

    $ ssh localuser@localhost@localuser@localhost
localuser@localhost@localuser@localhost's password: 
Permission denied, please try again.
...

    You will be asked for a password, but the system will not let you in, since the user localuser@localhost@localuser does not exist on the system.

    Also check the output of /var/log/auth.log:

    Aug 17 08:45:46 somehost sshd[73042]: Invalid user localuser@localhost@localuser from 127.0.0.1 port 44292
Aug 17 08:45:48 somehost sshd[73042]: pam_unix(sshd:auth): check pass; user unknown
Aug 17 08:45:48 somehost sshd[73042]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 
Aug 17 08:45:50 somehost sshd[73042]: Failed password for invalid user localuser@localhost@localuser from 127.0.0.1 port 44292 ssh2

Unless you create a user localuser@localhost@localuser on the system you want to connect to, this syntax won't work.

wovano
  • 107
Simon Sudler
  • 3,931
  • 3
  • 21
  • 34
  • 1
    Indeed; I have verified this as well. I have a situation where I'm using this exact syntax without the -J (ProxyJump) flag and it appears that everything preceding that last @ is indeed simply treated as a username, even if there are other multiple @ and may actually be an internal mechanism behind the scenes that works similar to proxy/bastion. This has proven useful for configuring .ssh/config to shorten the command. – patricknelson Nov 09 '23 at 19:55