[libvirt] polkit auth issue

I'm trying to debug a PolicyKit auth issue in libvirt and looking for some suggestions. Server has the following policy for user ski52 in /etc/PolicyKit/PolicyKit.conf : <match action="org.libvirt.unix.manage"> <match user="ski52"> <return result="auth_self_keep_always"/> </match> </match> I can authenticate via polkit when logged directly into server via ssh as ski52 ski52@vhost52:~> virsh -c qemu:///system list Attempting to obtain authorization for org.libvirt.unix.manage. Authentication is required. Password: Successfully obtained the authorization for org.libvirt.unix.manage. Id Name State ---------------------------------- 33 vm1 running But when using qemu+ssh remotely ski53@vhost53:~> virsh -c qemu+ssh://ski52@vhost52/system list Attempting to obtain authorization for org.libvirt.unix.manage. Authentication as an administrative user is required. Password: polkit-grant-helper-pam: pam_authenticated failed: Authentication failure Failed to obtain authorization for org.libvirt.unix.manage. error: authentication failed error: failed to connect to the hypervisor AFAICT by tracing with gdb, the client calls polkit-auth *locally* when authentication is needed, instead of invoking polkit-auth on the server. This backtrace from gdb on the client machine shows 'polkit-auth --obtain' being called locally from virConnectAuthGainPolkit() #0 virConnectAuthGainPolkit (privilege=0x7ffff7b8b3ba "org.libvirt.unix.manage") at libvirt.c:111 #1 0x00007ffff7a912a3 in virConnectAuthCallbackDefault (cred=0x7fffffffdd20, ncred=1, cbdata=0x0) at libvirt.c:149 #2 0x00007ffff7ac367f in remoteAuthPolkit (conn=0x63ec10, priv=0x7ffff7e25010, in_open=1, auth=0x7ffff7dc9bc0) at remote/remote_driver.c:7431 #3 0x00007ffff7ac1d8d in remoteAuthenticate (conn=0x63ec10, priv=0x7ffff7e25010, in_open=1, auth=0x7ffff7dc9bc0, authtype=0x0) at remote/remote_driver.c:6864 #4 0x00007ffff7ab5936 in doRemoteOpen (conn=0x63ec10, priv=0x7ffff7e25010, auth=0x7ffff7dc9bc0, flags=0) at remote/remote_driver.c:854 .. Has anyone else observed such behavior? Any hints on how to forward the polkit-auth call to the server? Both client and server are libvirt 0.8.5 btw. Regards, Jim