[libvirt] problems with remote authentication with policykit

[Jim Paris]

Hi,

I have libvirt 0.6.4 running kvm instances on a headless server.
I'm using virt-manager 0.7.0 to manage them.  In the past, I would SSH
in and run virt-manager as root.  Since running GTK apps as root is no
good, I've switched to policykit authentication.  By default, the 
libvirt policy only allows management if the user is in the active
host session, which isn't the case with my SSH logins.  Therefore
I've added an override in /etc/PolicyKit/PolicyKit.conf:

  <match action="org.libvirt.unix.manage">
    <return result="auth_admin_keep_session"/>
  </match>

Now things generally work fine when SSHed in:
- as root, virsh gives ro and rw access with no password
- as jim, virsh gives ro access with no password, but requests a password for rw
- as jim, virsh asks for a password for rw access

But when accessing remotely, I get no useful error, and a hang:

$ virsh -c qemu+ssh://jim@server/system
libvir: Remote error : authentication failed
<process hangs here>

$ virsh --readonly -c qemu+ssh://jim@server/system
libvir: Remote error : authentication failed
<process hangs here>

Furthermore, on the server, this leaves "nc" processes running,
and eventually there are enough that libvirtd stops accepting new
connections.

I was also getting strange errors including:
  polkit-grant-helper: given auth type (8 -> yes) is bogus
but now I can't reproduce that for the life of me, I have no idea what
changed.  

Is policykit authentication supposed to work over qemu+ssh?
I was hoping it would at least not break the --readonly case.

-jim