I'm attempting to remote connect to my KVM instance using virsh, but all the commands hang. When issuing the below command, nothing on the remote system happens, and no errors are displayed, (hostname changed) $ virsh --debug 5 --log /var/lib/foreman/virsh.log -c qemu+ssh://foreman@kvmhost.tld:16509/system?no_tty=1 This is the uncommented lines in /etc/libvirt/libvirtd.conf ---------- listen_tls = 0 listen_tcp = 1 listen_addr = "<omitted, set to management NIC>" log_level = 1 log_filters="1:remote 1:event 1:qemu" log_outputs="1:syslog:libvirtd 1:file:/var/log/libvirt/libvirtd.log" This is the only debug output I get in /var/log/libvirt/libvirtd.log during the remote connection attempt ----------- 17:56:04.579: debug : virEventRunOnce:595 : Poll got 1 event 17:56:04.580: debug : virEventDispatchTimeouts:405 : Dispatch 3 17:56:04.580: debug : virEventDispatchHandles:450 : Dispatch 10 17:56:04.580: debug : virEventDispatchHandles:464 : i=0 w=1 17:56:04.580: debug : virEventDispatchHandles:464 : i=1 w=2 17:56:04.580: debug : virEventDispatchHandles:464 : i=2 w=3 17:56:04.580: debug : virEventDispatchHandles:464 : i=3 w=4 17:56:04.580: debug : virEventDispatchHandles:464 : i=4 w=5 17:56:04.580: debug : virEventDispatchHandles:464 : i=5 w=6 17:56:04.580: debug : virEventDispatchHandles:464 : i=6 w=7 17:56:04.580: debug : virEventDispatchHandles:464 : i=7 w=8 17:56:04.580: debug : virEventDispatchHandles:477 : Dispatch n=7 f=13 w=8 e=1 0x1629640 17:56:04.580: debug : virEventAddHandleImpl:113 : Add handle fd=20 events=1 cb=0x4196e0 opaque=0x1629640 17:56:04.580: debug : virEventInterruptLocked:664 : Skip interrupt, 1 -1447459072 17:56:04.580: debug : virEventDispatchHandles:464 : i=8 w=9 17:56:04.580: debug : virEventDispatchHandles:464 : i=9 w=10 17:56:04.580: debug : virEventCleanupTimeouts:495 : Cleanup 3 17:56:04.580: debug : virEventCleanupHandles:536 : Cleanupo 11 17:56:04.580: debug : virEventCleanupTimeouts:495 : Cleanup 3 17:56:04.580: debug : virEventCleanupHandles:536 : Cleanupo 11 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=0 w=1, f=5 e=1 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=1 w=2, f=7 e=1 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=2 w=3, f=14 e=1 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=3 w=4, f=15 e=1 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=4 w=5, f=17 e=25 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=5 w=6, f=18 e=25 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=6 w=7, f=19 e=25 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=7 w=8, f=13 e=25 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=8 w=9, f=12 e=25 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=9 w=10, f=11 e=25 17:56:04.580: debug : virEventMakePollFDs:373 : Prepare n=10 w=15, f=20 e=1 17:56:04.580: debug : virEventCalculateTimeout:314 : Calculate expiry of 3 timers 17:56:04.580: debug : virEventCalculateTimeout:344 : Timeout at 0 due in -1 ms 17:56:04.580: debug : virEventRunOnce:593 : Poll on 11 handles 0x7f35a4001240 timeout -1 I've already opened up the firewall for port 16509, and allowed the user foreman (member of libvirt_admin) to manage libvirt via PolicyKit Relevant line in iptables, 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:16509 /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla ----------- [libvirt Remote Access] Identity=unix-group:libvirt_admin Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes Originally I had created the file /etc/polkit-1/localauthority/50-local.d/51-libvirt-foreman-remote-access.pkla with contents below, and had the file 50-libvirt-remote-access.pkla only allowing a single user. /etc/polkit-1/localauthority/50-local.d/51-libvirt-foreman-remote-access.pkla ---------- [libvirt Foreman Remote Access] Identity=unix-user:foreman Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes However I wasn't able to connect to libvirt on the host itself, and the logs indicated it was a PolicyKit block, so my second problem/question...Is it possible to have multiple local PolicyKit *.pkla files or can only one exist? From the documentation here, http://wiki.libvirt.org/page/SSHPolicyKitSetup, it seems like so long as the names are unique then multiple would be allowed. Reason that's key is I'm using Puppet and will have multiple servers/applications needing access and being restricted to a single file to manage will be a problem. Connecting locally with a specific pkla for "foreman"... ----------- $ virsh -c qemu:///system error: authentication failed error: failed to connect to the hypervisor /var/log/libvirt/libvirtd.log --------- 17:50:06.102: debug : virRunWithHook:914 : Command stderr: Not authorized. 17:50:06.103: error : remoteDispatchAuthPolkit:3810 : Policy kit denied action org.libvirt.unix.manage from pid 29640, uid 503, result: 256 Thanks - Trey