I followed instructions here carefully however I haven't get this working right. Here is what I did:

1. Run WinSCP enter Hostname (Elastic IP of my Instance)
2. enter username "ec2-user"
3. enter public key file
4. chose SCP for the protocol
5. Under SCP/Shell settings I chose "sudo su -"
6. Hit Login
7. WinSCP asks me for passphrase key, Hit OK
8. Shows up this error

Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

NOTE: This works on Putty

WinSCP does not support commands that require terminal emulation or user input.

See: http://winscp.net/eng/docs/remote_command#limitations

Since sudo su - expects a password, it wouldn't work.

There is a way around it: make root logon without being prompted for a password. You can do this by editing your sudoers file usually located at /etc/sudoers and adding:

root ALL=NOPASSWD: ALL

Needless to say, this is Not a Very Good Thing To Do - for reasons which should be obvious :)

With credit to this post and this AWS forum thread, it seems the trick is to comment out Defaults requiretty in sudoers. My procedure now:

1. Log in to your EC2 instance using Putty.
2. Run sudo visudo, a special command to edit /etc/sudoers.
3. Press the Insert key to start Insert mode.
4. Find the line Defaults requiretty. Insert a hash symbol (#) before that line to comment it out:
   #Defaults requiretty
5. Press the Esc key to exit Insert mode.
6. Type :wq to write the file and quit visudo.

In WinSCP:

1. Under Advanced > Environment > SCP/Shell, change the Shell to sudo su -.
2. Under SSH > Authentication, choose your Private key file (.ppk file).

I was having the same problem and solved it using the steps in this tutorial. I would have posted it here, but I don't have enough rep for images/screens.

http://cvlive.blogspot.de/2014/03/how-to-login-in-as-ssh-root-user-from.html

The following tutorial worked for me and provides helpful screenshots. Logging in as a regular user with sudo permissions just required tweaking a few WinSCP options. http://cvlive.blogspot.de/2014/03/how-to-login-in-as-ssh-root-user-from.html

Set Session/File protocol to: SCP, enter host/instance ip, port - usually 22, and regular username. Enter password credentials if the login requires it. Add Advanced/SSH/Authentication/Private key file.

Unchecking Advanced/SSH/Authentication/attempt "keyboard interactive" authentication should allow Advanced/Environment/SCP Shell/Shell/Shell: sudo su - to provide sudo permissions for accessing webserver directories as a non-owner user.

Update 08/03/2017

WinSCP logging can be helpful to troubleshoot issues: https://winscp.net/eng/docs/logging

[WinSCP] Logging can be enabled from Logging page of Preferences dialog. Logging can also be enabled from command-line using /log and /xmllog parameters respectively, what is particularly useful with scripting. In .NET assembly, session logging is enabled using Session.SessionLogPath1).

Depending on WinSCP connection errors, some server installations may need a directive added to the (Ubunto, CentOS, other-Linux-Server) /etc/sudoers file to not require TTY for a specified user. Creating a file in /etc/sudoers.d/ (using a tool such as Amazon Command Line Interface or PuTTY) may be a better option than editing /etc/sudoers. Some /etc/sudoers versions recommend it:

This file MUST be edited with the 'visudo' command as root. Please consider adding local content in /etc/sudoers.d/ instead of directly modifying this file. See the man page for details on how to write a sudoers file.

When editing a sudoers file (as root) through the command-line, the 'visudo' command should be used to open the file as it will parse the file for syntax errors. /etc/sudoers.d/ files are typically owned by root and chmoded with minimal permissions. The default /etc/sudoers file may be referenced as it should automatically have recommended chmod permissions on installation. e.g.: 0440 r--r----- .

https://superuser.com/a/869145 :

visudo -f /etc/sudoers.d/somefilename

Defaults:username !requiretty 

Helpful Links:

• Stackoverflow: cloud-init how to add default user to sudoers.d
  • https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos

WinSCP Forum:

• https://winscp.net/forum/viewtopic.php?t=3046
• https://winscp.net/forum/viewtopic.php?t=2109

WinSCP Doc: https://winscp.net/eng/docs/faq_su

With SCP protocol, you can specify following command as custom shell on the SCP/Shell page of Advanced Site Settings dialog:

sudo -s

[...]

Note that as WinSCP cannot implement terminal emulation, you need to have sudoers option requiretty turned off.

Instructions in Ubuntu Apache /etc/sudoers recommend adding directives to /etc/sudoers.d rather than editing /etc/sudoers directly. Depending on the installation, adding directive to /etc/sudoers.d/cloud-init may work as well.

It may be helpful to create an SSH test user with sudo permissions by following the steps provided in instance documentation to ensure that the user has recommended instance settings and any updates to server sudoer files can be effected and removed without affecting other users.

Under SCP/Shell settings, instead of "sudo su -", choose /bin/bash.

It should work.