Your Bitbucket Account Has Been Locked. To Unlock It and Log in Again You Must Solve a Captcha

For security reasons, Bitbucket Server e

Summary

Bitbucket Server end users or Build systems demand their CAPTCHA cleared often

This means that CAPTCHA verification is enabled and they probably have a script somewhere trying to clone repos with incorrect credentials. Randomly external tools (git clients: sourceTree, TortoiseGit) which try to access Repository on Bitbucket server become access denied - every bit Bitbucket is asking for CAPTCHA input. This happens randomly - and it can be a big annoyance inside our automatic build surround.

We recommend y'all pin downwards what is failing to login with the wrong username/password rather than disabling CAPTCHA for security reasons.

Disabling CAPTCHA can exist achieved by post-obit the guide beneath.

How can you identify which user is existence blocked?

You lot can enable Inspect logging on your example

• View and configure the audit log

• Wait for entries similar the i below onBITBUCKET_HOME/log/audit:

                  0:0:0:0:0:0:0:i | AuthenticationFailureEvent | - | 1392111196025 | username | {"hallmark-method":"course","error":"Invalid username or password."} | 633x670x0 | 1xzqso0              

  Yous tin also use the following query on Bitbucket's database:

            SELECT usa.user_name FROM cwd_user_attribute every bit atr Bring together cwd_user as the states ON atr.user_id=usa.id WHERE atr.attribute_name = 'failedAuthenticationAttemptCount' AND CAST(atr.attribute_value as integer) >= v ;          

Common cause for CAPTCHA triggering users to be blocked:

• _netrc file could be configured and causing invalid requests: Permanent authentication for Git repositories over HTTP(Southward)

Solution

How can I clear CAPTCHA for a specific user?

You lot can clear captcha for a Bitbucket Server user if you have "System Administrator" Global permissions assigned to you straight on the user's page.

How to disable CAPTCHA?

For security reasons, Bitbucket Server terminate users will be prompted for inbound CAPTCHA afterward failing to log in 5 times in a row. This value is ready by default.

You lot can disable CAPTCHA. Nevertheless, we haven't surfaced this functionality in the Bitbucket Server admin UI as we retrieve that it should be enabled by default and at that place are a few caveats when disabling it (e.g. risk of animate being strength attacks).

Disabling CAPTCHA will have the post-obit ramifications:

• Your users may lock themselves out of whatsoever underlying user directory service (LDAP, Agile Directory etc) considering Bitbucket Server volition laissez passer through all authentication requests (regardless of the number of previous failures) to the underlying directory service.
• For Bitbucket Server installations where y'all use Bitbucket Server for user management or where you utilise a directory service with no limit on the number of failed logins before locking out users, you will open up Bitbucket Server or the directory service upwardly to brute-force password attacks.

In order to disable CAPTCHA as part of the authentication set the characteristic.auth.captcha property to faux in your BITBUCKET_HOME/shared/bitbucket.properties for Bitbucket Server 3.2+ releases or BITBUCKET_HOME/ bitbucket.properties if yous are on a previous release.

You will take to create the bitbucket.backdrop file in the shared folder of your Bitbucket Server dwelling house directory if it doesn't already exist. Add the arrangement property feature.auth.captcha=false.

The default value for it istrue.

Bitbucket Server must be restarted after making this change for it to have affect.

What is the "CAPTCHA on Sign up" I see on the UI?

This CAPTCHA use case is completely different from the CAPTCHA on login equally described above. Read on for more than details.

Y'all can find the screen bellow underAdministration Cog Icon >> Authentication

This screen is related to the "Public Sign up" feature (whether to enable information technology or not) in Bitbucket Server. The "Public Sign Up" feature (when enabled) allows external users to create accounts on your Bitbucket Server case through the login screen. Thus you might exist able to make certain only humans are signing up to your public example by enabling CAPTCHA.Notice that the CAPTCHA option can simply be enable if you "Allow public sign up".

When you enable that feature, the post-obit is added to your Bitbucket Server login screen:

The CAPTCHA pick on the first image refers to enabling CAPTCHA during the "Public Sign up" process has nothing to do with the loginCAPTCHA. See, for example, a sign upward screen for an instance that's got it enabled:

Which conditions pb to the increase in the count of failed attempts?

• Personal access tokens willNot trigger captcha fifty-fifty with a repeated auth failures.

The CAPTCHA bulletin is displayed on the adjacent endeavor to log-in after four incorrect ones. All of the following ways count towards the limit:

• the log-in screen in the user interface
• a git operation that requires hallmark using the command line (e.yard. a git push)
• a Rest API endpoint call

Note about AuthenticationFailureEvent and failedAuthenticationAttemptCount
Every bit described in BSERV-9904 - Getting consequence details... STATUS , in certain conditions theAuthenticationFailureEvent volition be logged twice in the inspect log. However, this will not increase thefailedAuthenticationAttemptCount on a single login effort.

In other words, if the AuthenticationFailureEvent is logged only one time and the clone URL did not comprise a countersign, then the failedAuthenticationAttemptCount will not exist increased. This means that users will non see Captcha messages earlier than the configured failed hallmark count every bit a event of this. (I just validated that with the version 5.11.1 of Bitbucket).

The AuthenticationFailureEvent logged twice for the same user in a brusque timeframe would indicate that the authentication really failed.

The following will be displayed to the users when performing the adjacent log-in:

• the CAPTCHA screen when logging in via the user interface

• the following message when performing a git operation from the command line

                  fatal: remote error: CAPTCHA required Your Bitbucket account has been locked. To unlock it and log in once more you must solve a CAPTCHA. This is typically caused by too many attempts to login with an wrong countersign. The account lock prevents your SCM client from accessing Bitbucket and its mirrors until information technology is solved, fifty-fifty if y'all enter your password correctly.  If yous are currently logged in to Bitbucket via a browser you may need to logout and then log dorsum in in order to solve the CAPTCHA.  Visit Bitbucket at <Bitbucket_Server_url> for more details.              

• the following message when performing a REST API end signal call

                  {"errors":[{"context":null,"message":"Authentication failed. Please check your credentials and try once more.","exceptionName":"com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"}]}[root@localhost tmp]# <Remainder API end point control details> {"errors":[{"context":nix,"message":"CAPTCHA required. Your Bitbucket business relationship has been locked. To unlock it and log in again yous must solve a CAPTCHA. This is typically caused past too many attempts to login with an incorrect password. The account lock prevents your SCM customer from accessing Bitbucket and its mirrors until it is solved, even if you enter your password correctly.\n\nIf you are currently logged in to Bitbucket via a browser you may demand to logout and so log dorsum in in lodge to solve the CAPTCHA.\north\nVisit Bitbucket at <Bitbucket_Server_url> for more than details.","exceptionName":"com.atlassian.bitbucket.auth.CaptchaRequiredAuthenticationException"}]}                              

Following conditions may lead Bitbucket server to continuously ask for CAPTCHA

• CAPTCHA volition exist reset but after a successful login. If the failed login count configured for Bitbucket server and Advert/LDAP is same , user business relationship may get locked in the Advertising/LDAP after the failed attempts and Bitbucket triggers CAPTCHA. This will never be cleared as user will never be able to login until the account get unlocked in AD/LDAP. This may exist mistaken every bit Bitbucket server continuously asking CAPTCHA.

steedresichey.blogspot.com

Source: https://confluence.atlassian.com/bitbucketserverkb/how-to-configure-captcha-in-bitbucket-server-779171704.html

Share this post