Your Bitbucket Account Has Been Locked To Unlock It and Log in Again You Must

For security reasons, Bitbucket Server e

Summary

Bitbucket Server finish users or Build systems need their CAPTCHA cleared oftentimes

This means that CAPTCHA verification is enabled and they probably take a script somewhere trying to clone repos with wrong credentials. Randomly external tools (git clients: sourceTree, TortoiseGit) which endeavour to admission Repository on Bitbucket server get access denied - every bit Bitbucket is request for CAPTCHA input. This happens randomly - and it can be a big annoyance inside our automated build environment.

Nosotros recommend you pin down what is failing to login with the wrong username/password rather than disabling CAPTCHA for security reasons.

Disabling CAPTCHA tin can exist accomplished by following the guide beneath.

How can yous place which user is beingness blocked?

You can enable Audit logging on your example

• View and configure the audit log

• Look for entries like the one below onBITBUCKET_HOME/log/inspect:

                  0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | - | 1392111196025 | username | {"authentication-method":"form","fault":"Invalid username or password."} | 633x670x0 | 1xzqso0              

  Yous can also use the following query on Bitbucket'southward database:

            SELECT us.user_name FROM cwd_user_attribute equally atr JOIN cwd_user every bit united states of america ON atr.user_id=us.id WHERE atr.attribute_name = 'failedAuthenticationAttemptCount' AND CAST(atr.attribute_value as integer) >= 5 ;          

Common cause for CAPTCHA triggering users to be blocked:

• _netrc file could exist configured and causing invalid requests: Permanent authentication for Git repositories over HTTP(Due south)

Solution

How can I articulate CAPTCHA for a specific user?

You tin can clear captcha for a Bitbucket Server user if yous accept "System Administrator" Global permissions assigned to you lot directly on the user'due south folio.

How to disable CAPTCHA?

For security reasons, Bitbucket Server end users will be prompted for entering CAPTCHA later failing to log in 5 times in a row. This value is set past default.

You can disable CAPTCHA. Withal, nosotros haven't surfaced this functionality in the Bitbucket Server admin UI as we think that it should be enabled by default and in that location are a few caveats when disabling it (e.g. risk of brute force attacks).

Disabling CAPTCHA volition accept the following ramifications:

• Your users may lock themselves out of whatsoever underlying user directory service (LDAP, Active Directory etc) because Bitbucket Server will pass through all authentication requests (regardless of the number of previous failures) to the underlying directory service.
• For Bitbucket Server installations where you lot use Bitbucket Server for user direction or where you use a directory service with no limit on the number of failed logins earlier locking out users, yous will open Bitbucket Server or the directory service up to brute-force password attacks.

In order to disable CAPTCHA as part of the authentication fix the characteristic.auth.captcha property to simulated in your BITBUCKET_HOME/shared/bitbucket.properties for Bitbucket Server iii.ii+ releases or BITBUCKET_HOME/ bitbucket.backdrop if y'all are on a previous release.

You volition have to create the bitbucket.backdrop file in the shared folder of your Bitbucket Server home directory if it doesn't already exist. Add the system property feature.auth.captcha=false.

The default value for it istrue.

Bitbucket Server must be restarted afterward making this change for it to take affect.

What is the "CAPTCHA on Sign up" I see on the UI?

This CAPTCHA use case is completely dissimilar from the CAPTCHA on login as described above. Read on for more details.

You can find the screen bellow underAdministration Cog Icon >> Authentication

This screen is related to the "Public Sign up" characteristic (whether to enable it or non) in Bitbucket Server. The "Public Sign Up" feature (when enabled) allows external users to create accounts on your Bitbucket Server instance through the login screen. Thus you might be able to make sure only humans are signing upwardly to your public instance by enabling CAPTCHA.Notice that the CAPTCHA option can only be enable if y'all "Allow public sign upward".

When you enable that characteristic, the following is added to your Bitbucket Server login screen:

The CAPTCHA option on the showtime image refers to enabling CAPTCHA during the "Public Sign upwardly" procedure has nothing to do with the loginCAPTCHA. See, for case, a sign up screen for an example that's got it enabled:

Which conditions lead to the increase in the count of failed attempts?

• Personal access tokens volitionNon trigger captcha fifty-fifty with a repeated auth failures.

The CAPTCHA bulletin is displayed on the next effort to log-in after four incorrect ones. All of the following ways count towards the limit:

• the log-in screen in the user interface
• a git functioning that requires hallmark using the control line (e.thousand. a git push)
• a REST API endpoint phone call

Note about AuthenticationFailureEvent and failedAuthenticationAttemptCount
Equally described in BSERV-9904 - Getting outcome details... Status , in certain conditions theAuthenticationFailureEvent will be logged twice in the audit log. However, this will not increase thefailedAuthenticationAttemptCount on a single login attempt.

In other words, if the AuthenticationFailureEvent is logged only once and the clone URL did non contain a password, and then the failedAuthenticationAttemptCount volition non be increased. This ways that users will not meet Captcha messages before than the configured failed authentication count as a result of this. (I just validated that with the version 5.xi.1 of Bitbucket).

The AuthenticationFailureEvent logged twice for the same user in a short timeframe would indicate that the authentication really failed.

The following will be displayed to the users when performing the adjacent log-in:

• the CAPTCHA screen when logging in via the user interface

• the following message when performing a git operation from the command line

                  fatal: remote mistake: CAPTCHA required Your Bitbucket account has been locked. To unlock it and log in again you must solve a CAPTCHA. This is typically caused by likewise many attempts to login with an incorrect password. The account lock prevents your SCM client from accessing Bitbucket and its mirrors until information technology is solved, fifty-fifty if you enter your password correctly.  If you lot are currently logged in to Bitbucket via a browser you may demand to logout and so log back in in order to solve the CAPTCHA.  Visit Bitbucket at <Bitbucket_Server_url> for more details.              

• the following message when performing a REST API end point call

                  {"errors":[{"context":null,"message":"Hallmark failed. Please check your credentials and try again.","exceptionName":"com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"}]}[root@localhost tmp]# <REST API cease point command details> {"errors":[{"context":null,"bulletin":"CAPTCHA required. Your Bitbucket account has been locked. To unlock information technology and log in again y'all must solve a CAPTCHA. This is typically caused by too many attempts to login with an incorrect countersign. The account lock prevents your SCM client from accessing Bitbucket and its mirrors until information technology is solved, even if yous enter your countersign correctly.\north\nIf you are currently logged in to Bitbucket via a browser you may need to logout and then log back in in order to solve the CAPTCHA.\n\nVisit Bitbucket at <Bitbucket_Server_url> for more details.","exceptionName":"com.atlassian.bitbucket.auth.CaptchaRequiredAuthenticationException"}]}                              

Following conditions may lead Bitbucket server to continuously ask for CAPTCHA

• CAPTCHA will be reset only afterwards a successful login. If the failed login count configured for Bitbucket server and Advertising/LDAP is same , user account may get locked in the Advertizement/LDAP afterwards the failed attempts and Bitbucket triggers CAPTCHA. This volition never exist cleared equally user will never exist able to login until the business relationship get unlocked in AD/LDAP. This may be mistaken as Bitbucket server continuously asking CAPTCHA.

lemieuxcoure1995.blogspot.com

Source: https://confluence.atlassian.com/bitbucketserverkb/how-to-configure-captcha-in-bitbucket-server-779171704.html

Share this post