per polkit documentation, SSH counts as an "inactive" session:
" Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display. allow_any is the setting encompassing both scenarios. ".
However, I found that I have to make allow_any "auth_admin_keep" for this to work over SSH. This may need some more fiddling but apparently it's possible to solve with some policy settings.
Our policy covers only active sessions:
<defaults> allow_any> no</allow_ any> allow_inactive> no</allow_ inactive> allow_active> auth_admin_ keep</allow_ active>
<
<
<
</defaults>
per polkit documentation, SSH counts as an "inactive" session:
" Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display. allow_any is the setting encompassing both scenarios. ".
However, I found that I have to make allow_any "auth_admin_keep" for this to work over SSH. This may need some more fiddling but apparently it's possible to solve with some policy settings.