Re: [libvirt] problems with remote authentication with policykit

Hi, I have libvirt 0.6.4 running kvm instances on a headless server. I'm using virt-manager 0.7.0 to manage them. In the past, I would SSH in and run virt-manager as root. Since running GTK apps as root is no good, I've switched to policykit authentication. By default, the libvirt policy only allows management if the user is in the active host session, which isn't the case with my SSH logins. Therefore I've added an override in /etc/PolicyKit/PolicyKit.conf: <match action="org.libvirt.unix.manage"> <return result="auth_admin_keep_session"/> </match> Now things generally work fine when SSHed in: - as root, virsh gives ro and rw access with no password - as jim, virsh gives ro access with no password, but requests a password for rw - as jim, virsh asks for a password for rw access But when accessing remotely, I get no useful error, and a hang: $ virsh -c qemu+ssh://jim@server/system libvir: Remote error : authentication failed <process hangs here> $ virsh --readonly -c qemu+ssh://jim@server/system libvir: Remote error : authentication failed <process hangs here> Furthermore, on the server, this leaves "nc" processes running, and eventually there are enough that libvirtd stops accepting new connections.

I was also getting strange errors including: polkit-grant-helper: given auth type (8 -> yes) is bogus but now I can't reproduce that for the life of me, I have no idea what changed. Is policykit authentication supposed to work over qemu+ssh?

I was hoping it would at least not break the --readonly case.