How to configure CAPTCHA in Stash
Stash end users or Build systems need their CAPTCHA cleared often
This means that CAPTCHA verification is enabled and they probably have a script somewhere trying to clone repos with incorrect credentials.
Randomly external tools (git clients: sourceTree, TortoiseGit) which try to access Repository on STASH server get access denied - as STASH is asking for CAPTCHA input. As I said this happens randomly - and it can be a big annoyance within our automatic build environment.
セキュリティ上の理由のため、CAPTCHA を無効化するよりも、誤ったユーザー名/パスワードでログインに失敗しているものを絞り込むことをおすすめします。
CAPTHA の無効化方法については以降のガイドをご確認ください。
ブロックされているユーザーを特定する方法
ご利用のインスタンスで監査ログを有効化できます。
- Audit logging in Stash
STASH_HOME/log/auditで次のようなエントリを探します。0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | - | 1392111196025 | username | {"authentication-method":"form","error":"Invalid username or password."} | 633x670x0 | 1xzqso0
CAPTCHA でユーザーがブロックされる問題のよくある原因
_netrcfile could be configured and causing invalid requests: Permanent authentication for Git repositories over HTTP(S)
特定のユーザー向けに CAPTCHA をクリアする方法
You can clear captcha for a Stash user if you have "System Administrator" Global permissions assigned to you directly on the user's page.
CAPTCHA の無効化方法
For security reasons, Stash end users will be prompted for entering CAPTCHA after failing to login 5 times in a row.
You can disable CAPTCHA. However, we haven't surfaced this functionality in the Stash admin UI as we think that it should be enabled by default and there are a few caveats when disabling it (e.g. risk of brute force attacks).
CAPTCHA を無効化すると次の影響が考えられます。
- Your users may lock themselves out of any underlying user directory service (LDAP, Active Directory etc) because Stash will pass through all authentication requests (regardless of the number of previous failures) to the underlying directory service.
- For Stash installations where you use Stash for user management or where you use a directory service with no limit on the number of failed logins before locking out users, you will open Stash or the directory service up to brute-force password attacks.
In order to disable CAPTCHA as part of the authentication set the feature.auth.captcha property to false in your STASH_HOME/shared/stash-config.properties for Stash 3.2+ releases or STASH_HOME/stash-config.properties if you are on a previous release.
デフォルトの値は true です。
Stash must be restarted after making this change for it to take affect.
UI で表示される "サインアップ時の CAPTCHA" とは
この CAPTCHA のユースケースは、上で説明したログイン時の CAPTCHA とは完全に異なるものです。以降で詳細をお読みください。
Administration Cog Icon >> Authentication で次の画面を見つけることができます。
This screen is related to the "Public Sign up" feature (whether to enable it or not) in Stash. The "Public Sign Up" feature (when enabled) allows external users to create accounts on your Stash instance through the login screen. Thus you might be able to make sure only humans are signing up to your public instance by enabling CAPTCHA. Notice that the CAPTCHA option can only be enable if you "Allow public sign up".
When you enable that feature, the following is added to your Stash login screen:
1 つめの画像の CAPTCHA オプションは、"公開サインアップ" プロセス中に CAPTCHA を有効化した状態を参照したもので、ログインの CAPTCHA には関連しません。これが有効化されたインスタンスのサインアップ画面の例です。
