How to configure CAPTCHA in Stash
Stash end users or Build systems need their CAPTCHA cleared often
This means that CAPTCHA verification is enabled and they probably have a script somewhere trying to clone repos with incorrect credentials.
Randomly external tools (git clients: sourceTree, TortoiseGit) which try to access Repository on STASH server get access denied - as STASH is asking for CAPTCHA input. As I said this happens randomly - and it can be a big annoyance within our automatic build environment.
We recommend you pin down what is failing to login with the wrong username/password rather than disabling CAPTCHA for security reasons.
Disabling CAPTCHA can be achieved by following the guide below.
How can you identify which user is being blocked?
You can enable Audit logging on your instance
- Audit logging in Stash
- Look for entries like the one below on
STASH_HOME/log/audit:0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | - | 1392111196025 | username | {"authentication-method":"form","error":"Invalid username or password."} | 633x670x0 | 1xzqso0
Common cause for CAPTCHA triggering users to be blocked:
_netrcfile could be configured and causing invalid requests: Permanent authentication for Git repositories over HTTP(S)
How can I clear CAPTCHA for a specific user?
You can clear captcha for a Stash user if you have "System Administrator" Global permissions assigned to you directly on the user's page.
How to disable CAPTCHA?
For security reasons, Stash end users will be prompted for entering CAPTCHA after failing to login 5 times in a row.
You can disable CAPTCHA. However, we haven't surfaced this functionality in the Stash admin UI as we think that it should be enabled by default and there are a few caveats when disabling it (e.g. risk of brute force attacks).
Disabling CAPTCHA will have the following ramifications:
- Your users may lock themselves out of any underlying user directory service (LDAP, Active Directory etc) because Stash will pass through all authentication requests (regardless of the number of previous failures) to the underlying directory service.
- For Stash installations where you use Stash for user management or where you use a directory service with no limit on the number of failed logins before locking out users, you will open Stash or the directory service up to brute-force password attacks.
In order to disable CAPTCHA as part of the authentication set the feature.auth.captcha property to false in your STASH_HOME/shared/stash-config.properties for Stash 3.2+ releases or STASH_HOME/stash-config.properties if you are on a previous release.
The default value for it is true.
Stash must be restarted after making this change for it to take affect.
What is the "CAPTCHA on Sign up" I see on the UI?
This CAPTCHA use case is completely different from the CAPTCHA on login as described above. Read on for more details.
You can find the screen bellow under Administration Cog Icon >> Authentication
This screen is related to the "Public Sign up" feature (whether to enable it or not) in Stash. The "Public Sign Up" feature (when enabled) allows external users to create accounts on your Stash instance through the login screen. Thus you might be able to make sure only humans are signing up to your public instance by enabling CAPTCHA. Notice that the CAPTCHA option can only be enable if you "Allow public sign up".
When you enable that feature, the following is added to your Stash login screen:
The CAPTCHA option on the first image refers to enabling CAPTCHA during the "Public Sign up" process has nothing to do with the login CAPTCHA. See, for example, a sign up screen for an instance that's got it enabled:
