SCP(secure copy) depends on SSH for security which makes it a secure way of copying files.  To make it work we need to configure authentication, authorization, and accounting (AAA) on the router for it to check the privilege level of user.  If it’s not configured and you are trying to copy files from the router you will get the privilege denied error.   

Here is an example where I am trying to copy a file <mycap.pcap> using scp from an ubuntu host when AAA is not configured on the router.

ubuntu@net:~$ scp cisco@ /home/ubuntu/newcap.pcap

Privilege denied.
Connection to closed by remote host.

Lets configure AAA on the router and see if it works.

router-gns3#conf t
router-gns3(config)#aaa authentication login default local
router-gns3(config)#aaa authorization exec default local 
router-gns3(config)#aaa accounting exec default

And now, let’s copy the file newcap.pcap in the router’s flash using scp

ubuntu@net:~$ scp cisco@ /home/ubuntu/newcap.pcap

newcap.pcap                       100%  213KB  53.7KB/s   00:03