Comment 1 for bug 1299201

Our policy covers only active sessions:

  <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>

per polkit documentation, SSH counts as an "inactive" session:

" Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display. allow_any is the setting encompassing both scenarios. ".

However, I found that I have to make allow_any "auth_admin_keep" for this to work over SSH. This may need some more fiddling but apparently it's possible to solve with some policy settings.