Home > Mac administration, macOS, Unix > Enabling Touch ID authorization for sudo on macOS High Sierra

Enabling Touch ID authorization for sudo on macOS High Sierra

My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday:

I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.

Before proceeding further, I want to emphasize that you can cause yourself a lot of problems by changing sudo authorization methods incorrectly. I assume no responsibility and bear no culpability if sudo or anything else breaks as a result of anything you implement as a result of reading this post.

With that understood, please see below for how to add Touch ID to the list of sudo‘s accepted authorization methods:

1. Make a backup copy of the following file:

/etc/pam.d/sudo

Screen Shot 2017 11 17 at 10 09 12 AM

2. Edit the following file using root privileges:

/etc/pam.d/sudo

Screen Shot 2017 11 17 at 10 08 16 AM

3. Add the following line in the indicated location:

auth sufficient pam_tid.so

Screen Shot 2017 11 17 at 10 10 30 AM

4. Save your changes.

Screen Shot 2017 11 17 at 10 10 48 AM

Once your changes have been saved, try using sudo to authorize something. In this example, I’m using the following command:

sudo date

With Touch ID authorization enabled for sudo, you should see the following dialog box appear.

Screen Shot 2017 11 17 at 8 30 34 AM

Once you’ve used Touch ID to authorize sudo, the command should run without requesting your account password.

Screen Shot 2017 11 17 at 10 14 09 AM

Something to be aware of is that Cabel Sasser included a follow-up caveat:

When I looked into it, it appears that this caveat is Touch ID-specific, because you can still authorize sudo using your account’s password.

Screen Shot 2017 11 17 at 10 20 45 AM

Categories: Mac administration, macOS, Unix
  1. JayB
    November 18, 2017 at 2:58 am

    Obviously won’t work with sudo -S

    Right? 🙂

  2. Anatharias
    November 23, 2017 at 1:18 am

    is there a way to activate Touch ID system wide? Right now sometimes you type the password, other times you use Touch ID. This is ridiculous
    Thanks

  3. December 26, 2017 at 5:39 pm

    Thanks for this write up. It is very useful.
    As for the sudo via ssh, maybe you should be a bit clearer. I wasn’t sure what you meant by ‘this caveat is Touch ID-specific’. Essentially, you STILL can sudo but with a password. The system knows you are not logged in from the computer screen/keyboard and does not even try the touch ID.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: