I recently set up a local Paperless-ngx instance to manage the unending stream of paper documents I have to manage.
As a part of this setup, I bought a Brother ADS-3300W – A wifi duplex scanner with an automatic document feeder that scans and uploads documents to an SFTP server (among other things).
The SFTP server I set up is a simple Alpine container running OpenSSH that mounts the same directory that Paperless is monitoring for documents, so when the scanner does its thing and uploads the files to the SFTP server then Paperless can start consuming it automatically.
The problem was that the scanner couldn’t connect to the SFTP server.
It took me a few hours to find out what was wrong.
Warning
Both of the solutions I described below include adding obsolete and deprecated settings to the SSH server.
This is due to the scanner having an old SSH client which we can not upgrade, hence these should not be used in a production environment.
I recommend spinning up a completely separate SSH server just for the scanner (that’s what I did) and locking it down as much as possible depending on your threat model.
Error #1 “no matching host key type found. Their offer: ssh-rsa [preauth]”
The full error is
Unable to negotiate with <IP> port <PORT>: no matching host key type found. Their offer: ssh-rsa [preauth]
The solution to this error is adding RSA to the list of accepted host key algorithms by adding this to your sshd_config
:
HostKeyAlgorithms +ssh-rsa
ssh-rsa
is a relic, it has been deprecated in newer SSH implementations due to security concerns. Modern systems typically use stronger algorithms such as rsa-sha2-256 and rsa-sha2-512, but we have no other choice here because we can’t update the ssh client on the scanner.
This fixes the first error, and then we get to the second one.
Error #2 “userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]”
The full error is
userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Edit the sshd_config
again and add this line:
PubkeyAcceptedAlgorithms=+ssh-rsa
This is also a deprecated relic, so the same warnings and precautions as above apply here too.
Restart the SSH server, and your scanner should be able to connect now.
Cheers