Your Stash Account Has Been Marked as Requiring a Captcha to Be Solved Before You May Login Again

For security reasons, Bitbucket Server east

Summary

Bitbucket Server end users or Build systems need their CAPTCHA cleared often

This means that CAPTCHA verification is enabled and they probably have a script somewhere trying to clone repos with incorrect credentials. Randomly external tools (git clients: sourceTree, TortoiseGit) which try to access Repository on Bitbucket server become access denied - as Bitbucket is asking for CAPTCHA input. This happens randomly - and it can be a big badgerer within our automated build environment.

Nosotros recommend you pin downwards what is failing to login with the wrong username/password rather than disabling CAPTCHA for security reasons.

Disabling CAPTCHA tin be achieved by post-obit the guide below.

How tin can you place which user is being blocked?

You tin can enable Inspect logging on your instance

• View and configure the audit log

• Look for entries like the 1 beneath onBITBUCKET_HOME/log/inspect:

                  0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | - | 1392111196025 | username | {"authentication-method":"form","error":"Invalid username or countersign."} | 633x670x0 | 1xzqso0              

  You can as well utilise the post-obit query on Bitbucket'southward database:

            SELECT united states.user_name FROM cwd_user_attribute as atr JOIN cwd_user as united states ON atr.user_id=usa.id WHERE atr.attribute_name = 'failedAuthenticationAttemptCount' AND CAST(atr.attribute_value as integer) >= 5 ;          

Common cause for CAPTCHA triggering users to be blocked:

• _netrc file could be configured and causing invalid requests: Permanent authentication for Git repositories over HTTP(South)

Solution

How tin I articulate CAPTCHA for a specific user?

You can clear captcha for a Bitbucket Server user if you take "System Ambassador" Global permissions assigned to you directly on the user's folio.

How to disable CAPTCHA?

For security reasons, Bitbucket Server end users will be prompted for entering CAPTCHA after failing to log in five times in a row. This value is set by default.

You can disable CAPTCHA. Nevertheless, we oasis't surfaced this functionality in the Bitbucket Server admin UI every bit we think that it should be enabled by default and at that place are a few caveats when disabling it (e.thousand. risk of animal force attacks).

Disabling CAPTCHA will have the following ramifications:

• Your users may lock themselves out of any underlying user directory service (LDAP, Active Directory etc) because Bitbucket Server will pass through all authentication requests (regardless of the number of previous failures) to the underlying directory service.
• For Bitbucket Server installations where you use Bitbucket Server for user direction or where y'all use a directory service with no limit on the number of failed logins before locking out users, you will open Bitbucket Server or the directory service upwardly to brute-force password attacks.

In order to disable CAPTCHA as part of the hallmark gear up the feature.auth.captcha belongings to false in your BITBUCKET_HOME/shared/bitbucket.properties for Bitbucket Server 3.2+ releases or BITBUCKET_HOME/ bitbucket.properties if yous are on a previous release.

You will have to create the bitbucket.backdrop file in the shared binder of your Bitbucket Server home directory if it doesn't already be. Add the system property characteristic.auth.captcha=false.

The default value for it istrue.

Bitbucket Server must be restarted later making this modify for it to take affect.

What is the "CAPTCHA on Sign upwards" I come across on the UI?

This CAPTCHA use example is completely different from the CAPTCHA on login equally described above. Read on for more details.

You can detect the screen bellow underAssistants Cog Icon >> Authentication

This screen is related to the "Public Sign upwards" feature (whether to enable it or not) in Bitbucket Server. The "Public Sign Upward" characteristic (when enabled) allows external users to create accounts on your Bitbucket Server instance through the login screen. Thus yous might be able to make certain only humans are signing up to your public instance by enabling CAPTCHA.Notice that the CAPTCHA option tin simply be enable if you "Allow public sign upwards".

When you enable that feature, the post-obit is added to your Bitbucket Server login screen:

The CAPTCHA selection on the first image refers to enabling CAPTCHA during the "Public Sign up" process has goose egg to do with the loginCAPTCHA. Encounter, for example, a sign up screen for an instance that's got it enabled:

Which atmospheric condition lead to the increase in the count of failed attempts?

• Personal admission tokens willNOT trigger captcha even with a repeated auth failures.

The CAPTCHA message is displayed on the next effort to log-in after four incorrect ones. All of the post-obit ways count towards the limit:

• the log-in screen in the user interface
• a git operation that requires authentication using the control line (east.m. a git push)
• a Remainder API endpoint call

Note well-nigh AuthenticationFailureEvent and failedAuthenticationAttemptCount
As described in BSERV-9904 - Getting effect details... Condition , in sure weather theAuthenticationFailureEvent volition be logged twice in the audit log. Even so, this will not increment thefailedAuthenticationAttemptCount on a unmarried login endeavor.

In other words, if the AuthenticationFailureEvent is logged simply once and the clone URL did not contain a password, then the failedAuthenticationAttemptCount will non be increased. This means that users will non see Captcha letters earlier than the configured failed authentication count as a result of this. (I just validated that with the version five.11.one of Bitbucket).

The AuthenticationFailureEvent logged twice for the same user in a short timeframe would indicate that the hallmark really failed.

The following volition exist displayed to the users when performing the next log-in:

• the CAPTCHA screen when logging in via the user interface

• the following message when performing a git operation from the command line

                  fatal: remote mistake: CAPTCHA required Your Bitbucket account has been locked. To unlock information technology and log in again you must solve a CAPTCHA. This is typically acquired by too many attempts to login with an incorrect password. The account lock prevents your SCM customer from accessing Bitbucket and its mirrors until it is solved, fifty-fifty if yous enter your password correctly.  If yous are currently logged in to Bitbucket via a browser you lot may need to logout and so log dorsum in in society to solve the CAPTCHA.  Visit Bitbucket at <Bitbucket_Server_url> for more than details.              

• the following bulletin when performing a REST API end point telephone call

                  {"errors":[{"context":nothing,"message":"Authentication failed. Please cheque your credentials and effort once again.","exceptionName":"com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"}]}[root@localhost tmp]# <REST API stop point control details> {"errors":[{"context":null,"bulletin":"CAPTCHA required. Your Bitbucket account has been locked. To unlock it and log in again you lot must solve a CAPTCHA. This is typically caused by too many attempts to login with an wrong password. The account lock prevents your SCM client from accessing Bitbucket and its mirrors until information technology is solved, fifty-fifty if you enter your password correctly.\n\nIf you are currently logged in to Bitbucket via a browser yous may need to logout and then log back in in club to solve the CAPTCHA.\north\nVisit Bitbucket at <Bitbucket_Server_url> for more details.","exceptionName":"com.atlassian.bitbucket.auth.CaptchaRequiredAuthenticationException"}]}                              

Following weather condition may pb Bitbucket server to continuously ask for CAPTCHA

• CAPTCHA will be reset but afterward a successful login. If the failed login count configured for Bitbucket server and Advertising/LDAP is same , user account may get locked in the Advertizement/LDAP subsequently the failed attempts and Bitbucket triggers CAPTCHA. This volition never be cleared as user will never be able to login until the account get unlocked in Advertizement/LDAP. This may be mistaken as Bitbucket server continuously asking CAPTCHA.

nicholsslith1938.blogspot.com

Source: https://confluence.atlassian.com/bitbucketserverkb/how-to-configure-captcha-in-bitbucket-server-779171704.html

Share this post