权限被拒绝使用scp将文件从Mac OS复制到Amazon EC2实例时出错

Question

I have read several StackOverflow articles on this problem and googled other sources with no luck. I've checked AWS documentation and can't resolve the issue. I have been working on this for several hours and am really stuck.

I've found articles referring to similar problems but the issue looks to always be a typo or mistake on the user's part. In my case, I'm confident I have ensured there are no typos or errors in what I'm doing.

I'm using Mac OS X Yosemite to connect to my AWS EC2 instance. I cannot scp files from my local machine to my instance, but I have been able to in the past, I believe before I upgraded to Yosemite (although I'm not 100% certain about before or after the upgrade). Regardless, I'm now getting a permission denied error.

I am able to ssh just fine into my instance. I do so like this:

ssh -i mykey.pem ec2-user@myEC2host.myzone.compute.amazonaws.com

Everything works fine with the ssh . But when I attempt scp like this:

scp —i mykey.pem ~/Sites/test.html ec2-user@myEC2host.myzone.compute.amazonaws.com:/var/www/html/

I get the following error:

Permission denied (publickey). lost connection

I've been trying this for hours and have confirmed the following:

1. I CAN ssh in just fine.
2. My .pem file has 400 permissions and is not viewable to the world.

3. I have correct permissions and ownership in the /var/www and /var/www/html folders

   (I went through the amazon setup tutorial again and ensured I used all permission settings as they described. My user is part of the group with access to those folders.

When I run the scp -v command I can see that scp does not appear to be even trying to use the specified Identity file. I get the following output:

(Notice the program being executed has dropped the -i from the scp command)

Executing: program /usr/bin/ssh host myEC2host.myzone.compute.amazonaws.com, user ec2-user, command scp -v -d -t /var/www/html/
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to myEC2host.myzone.compute.amazonaws.com [public AWS ip] port 22.
debug1: Connection established.
debug1: identity file /Users/myusername/.ssh/id_rsa type -1
debug1: identity file /Users/myusername/.ssh/id_rsa-cert type -1
debug1: identity file /Users/myusername/.ssh/id_dsa type -1
debug1: identity file /Users/myusername/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA  {some hex output}
debug1: Host 'myEC2host.myzone.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/myusername/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/myusername/.ssh/id_rsa
debug1: Trying private key: /Users/myusername/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
lost connection

However, when I run ssh -v I get the following output which DOES immediately use the correct Identify file:

ssh -v -i mykey ec2-user@myEC2host.myzone.compute.amazonaws.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to myEC2host.myzone.compute.amazonaws.com [54.69.211.59] port 22.
debug1: Connection established.
debug1: identity file mykey.pem type -1
debug1: identity file mykey.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA {some hex output}
debug1: Host 'myEC2host.myzone.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/myusername/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: mike.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to myEC2host.myzone.compute.amazonaws.com ([myEC2IP]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_CA.UTF-8

I'm not sure what else to try or how I might be able to resolve this. I'm hoping somebody will have the same environment and can confirm the issue or supply a resolution.

Thanks in advance!

Answer 1

scp —i mykey.pem ~/Sites/test.html ec2-user@myEC2host.myzone.compute.amazonaws.com:/var/www/html/
Executing: program /usr/bin/ssh host myEC2host.myzone.compute.amazonaws.com, user ec2-user, command scp -v -d -t /var/www/html/

The dash in your scp —i... command is a unicode EM dash, not an ASCII dash. Scp isn't interpreting it as a command-line option.

In fact it interpreted "—i", "mykey.pem", and "~/Sites/test.html" as three files to be copied. You can tell this because scp added "-d" to the command line for the remote scp instance. The "-d" flag tells the remote scp instance that the target has to be a directory. scp adds that flag to the remote command when it's copying more than one file, but not for copying a single file.

Maybe you copied the scp command from a word processing document? Microsoft Word is notorious for changing dashes and quote marks to typesetting versions. It's something to be careful about.

Answer 2

Kenster correctly pointed out that the dash in the -i in my code was in fact converted to an EMdash prior to my pasting it into Terminal. :-s

Retyping the entire command corrected the issue.

Thanks for catching my oversight.