Enabling Touch ID authorization for sudo on macOS High Sierra
My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday:
I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.
Before proceeding further, I want to emphasize that you can cause yourself a lot of problems by changing sudo authorization methods incorrectly. I assume no responsibility and bear no culpability if sudo or anything else breaks as a result of anything you implement as a result of reading this post.
With that understood, please see below for how to add Touch ID to the list of sudo‘s accepted authorization methods:
1. Make a backup copy of the following file:
/etc/pam.d/sudo
2. Edit the following file using root privileges:
/etc/pam.d/sudo
3. Add the following line in the indicated location:
auth sufficient pam_tid.so
4. Save your changes.
Once your changes have been saved, try using sudo to authorize something. In this example, I’m using the following command:
sudo date
With Touch ID authorization enabled for sudo, you should see the following dialog box appear.
Once you’ve used Touch ID to authorize sudo, the command should run without requesting your account password.
Something to be aware of is that Cabel Sasser included a follow-up caveat:
When I looked into it, it appears that this caveat is Touch ID-specific, because you can still authorize sudo using your account’s password.
Obviously won’t work with sudo -S
Right? 🙂
is there a way to activate Touch ID system wide? Right now sometimes you type the password, other times you use Touch ID. This is ridiculous
Thanks
Thanks for this write up. It is very useful.
As for the sudo via ssh, maybe you should be a bit clearer. I wasn’t sure what you meant by ‘this caveat is Touch ID-specific’. Essentially, you STILL can sudo but with a password. The system knows you are not logged in from the computer screen/keyboard and does not even try the touch ID.
There are a bunch of other files in /etc/pam.d. What would adding this line to the top of those do? For example, would adding it to /etc/pam.d/su work? What do the other files do?
sudo over SSH with TouchID, you may try this: https://medium.com/@prbinu/touch2sudo-enable-remote-sudo-two-factor-authentication-using-mac-touch-id-df638b7da594
https://github.com/prbinu/touch2sudo
This might be out of date—on my 10.13 machine, this edit pops up the TouchID panel but touching the button does not do anything. (This is a sometimes problem I have with other apps on my 2016 MBP, so possibly local to me, but I’ve never seen this consistently.)
This doesn’t work anymore for me either on 10.14. It worked on my older Macbook Pro.
still working on my MacBook Pro 2017 with macOS 10.14.6 : but only in Terminal NOT in iTerm 😦
Use https://github.com/fabianishere/pam_reattach
found another solution yesterday 😉 but thank you @idnk , will have a look at your hint too
– Settings
– Advanced
– Allow sessions to survive logging out and back in => NO
– re-Start iTerm