When moving to a new home server I also needed to connect my Brother ADS-1700W document scanner to the new Debian 12-based machine, which turned out to be harder than I expected.
Upon pressing a button on the UI, the scanner shall upload the PDFs to the paperless-ngx instance on my home server. The ADS-1700W supports SFTP uploads that can be configured via the web interface.
Until all problems were solved, the "connection test" showed the following (German) error message:
Profil 1 (SFTP)
Test: Fehler
Authentifizierungsfehler.
Diese Meldung wird angezeigt, wenn Ihre Authentifizierungseinstellungen nicht ordnungsgemäß konfiguriert sind.
Prüfen Sie Folgendes:
* Benutzername ist korrekt.
* Kennwort ist korrekt. (Wenn Kennwort als Auth.-Methode ausgewählt ist.)
* Ausgewähltes Client-Schlüsselpaar ist korrekt. (Wenn Client-Schlüssel als Auth.-Methode ausgewählt ist.)
* Ausgewählter öffentlicher Serverschlüssel ist korrekt.
Host key
Each SFTP Profile has a Server Public Key which needs to be uploaded at first. I used the following file from my server: /etc/ssh/ssh_rsa_host_key.pub.
Using ssh_host_ed25519_key.pub did not work; the scanner firmware did not accept the key file. (The RSA file gave an error at first, but was accepted when uploading it a second time.)
The scanner was not able to connect to my server with that host key though. journalctl showed:
sshd[6275]: Unable to negotiate with 192.168.3.53 port 59954: no matching host key type found. Their offer: ssh-rsa [preauth]
Debian 12 by default does not like RSA keys anymore and prefers different key types, so I had to allow RSA:
HostKeyAlgorithms +ssh-rsa
SFTP subsystem
Test connections from my laptop to the restricted "scanner-upload" account with scp did not work at first:
$ scp -v empty.ini scanner-upload@paperless.home.cweiske.de:/ Executing: program /usr/bin/ssh host paperless.home.cweiske.de, user scanner-upload, command sftp [...] debug1: Sending subsystem: sftp [...] Transferred: sent 4336, received 3568 bytes, in 0.3 seconds Bytes per second: sent 13255.8, received 10907.9 debug1: Exit status 1 scp: Connection closed
There was no indication in the server logs, even when setting LogLevel VERBOSE.
A CentOS forum post by edwardsmarkf gave me a solution: Change the SFTP subsystem from /usr/libexec/openssh/sftp-server to internal-sftp.
Subsystem sftp internal-sftp
Success
With this two configuration changes the scanner could upload files!
