Software token logs itself out on the Security Server

 Problem

On the Security Server, software token randomly logs itself out which makes the Security Server unable to process messages. Even if the autologin add-on is installed, the token isn't logged in again automatically. Also, the signer log (/var/log/xroad/signer.log) doesn't contain any entries regarding the log out event.

 Solution

The problem is caused by the use of the xroad user for an interactive login (via the admin UI or ssh), e.g., establish an ssh connection to the Security Server using the xroad user. When the user then logs out, systemd clears the IPC resources owned by the user (including the PIN storage), which causes the silent logout. By default, the installer creates the xroad as a system user, which should prevent the IPC being cleared. However, the Ansible playbooks create xroad as a regular user. In addition, the autologin add-on doesn't log the token back in, because the add-on only reacts to the signers start and restart events, other events aren't captured.

The problem can be resolved and prevented in two ways:

1. Don't use the xroad used for interactive logins (via the admin UI or ssh).

2. Update the /etc/systemd/logind.conf configuration file and change #RemoveIPC=yes to RemoveIPC=no.

 Related articles