How to SCP keypairs from one Amazon EC2 instance to another instance

amazon ec2scp

I am trying to SCP cert. between my two instance and having some trouble. Here is what I am entering.

[ec2-user@ip-xxx-xx-xx-xx ~] scp -i .ssh/key.pem /root/.ssh/


/root/.ssh/ Permission denied

I tried sudo but EC2 tells me to login as ec2-user in order to use this command. What am I doing worng?

Best Answer

There are two sets of permissions to consider in your scenario - the one on the local machine and the one on the remote machine. The ec2-user does not have permissions to access the the /root folder on the local machine. Using sudo resolves that. However, you login to the remote machine as a non-root user, and there you do not have permissions to write to the /root folder. That is the cause of the error you are seeing. (You could probably confirm this by adding the -v flag to your scp command).

There are at least two ways in which you can solve this:

  1. The easy way:

    SCP your file to a directory on the remote permission that you have write permissions for (home directory (~/) should be good, if it doesn't the /tmp directory will almost certainly work, but is less secure), and then SSH in and move the file.

    sudo scp -i /root/path/to/keypair.pem /root/path/to/local_file
    ssh  -i /root/path/to/keypair.pem
    sudo mv ~/path/to/remote_file /root/path/to/remote_file
  2. The harder way

    It is possible to transfer a file over SSH, and to execute sudo on the remote machine using this SSH connection, however, the remote machine needs to allow it. By default on Amazon's Linux (which it appears you are running from your user name), you cannot run sudo without a tty. To change this, on the remote machine, run visudo and comment out Defaults requiretty (line 56), and save the file. After that, you can either:

    Pipe your key through SSH (note, you still need sudo to read the local file):

    sudo cat /root/path/to/local_file | ssh -v -i /root/path/to/keypair.pem "sudo bash -c 'cat - > /root/path/to/remote_file'"

    Or, redirect your key through SSH (sudo only applies to the first part of the command, so you either need to become root, or put the entire command in a script and use sudo):

    sudo -i
    ssh -i /root/path/to/keypair.pem sudo sh -c '"cat > /root/path/to/remote_file"' < /root/path/to/local_file

(Some programs do seem to be able to 'sudo after login over scp' (e.g. WinSCP), however I don't know of any way to run a command over scp - perhaps SSH is used to transfer the file in those scenarios)

The other way, is to allow root logins on the remote machine, and then login directly as root over SCP (still using sudo locally). Undo whatever changes you make with visudo once you are done with them.