Home > Mac administration, macOS, Unix > Enabling Touch ID authorization for sudo on macOS High Sierra

Enabling Touch ID authorization for sudo on macOS High Sierra

November 17, 2017 Leave a comment Go to comments

My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday:

I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.

Before proceeding further, I want to emphasize that you can cause yourself a lot of problems by changing sudo authorization methods incorrectly. I assume no responsibility and bear no culpability if sudo or anything else breaks as a result of anything you implement as a result of reading this post.

With that understood, please see below for how to add Touch ID to the list of sudo‘s accepted authorization methods:

1. Make a backup copy of the following file:

/etc/pam.d/sudo

Screen Shot 2017 11 17 at 10 09 12 AM

2. Edit the following file using root privileges:

/etc/pam.d/sudo

Screen Shot 2017 11 17 at 10 08 16 AM

3. Add the following line in the indicated location:

auth sufficient pam_tid.so

Screen Shot 2017 11 17 at 10 10 30 AM

4. Save your changes.

Screen Shot 2017 11 17 at 10 10 48 AM

Once your changes have been saved, try using sudo to authorize something. In this example, I’m using the following command:

sudo date

With Touch ID authorization enabled for sudo, you should see the following dialog box appear.

Screen Shot 2017 11 17 at 8 30 34 AM

Once you’ve used Touch ID to authorize sudo, the command should run without requesting your account password.

Screen Shot 2017 11 17 at 10 14 09 AM

Something to be aware of is that Cabel Sasser included a follow-up caveat:

When I looked into it, it appears that this caveat is Touch ID-specific, because you can still authorize sudo using your account’s password.

Screen Shot 2017 11 17 at 10 20 45 AM

Categories: Mac administration, macOS, Unix
  1. JayB
    November 18, 2017 at 2:58 am
    Reply

    Obviously won’t work with sudo -S

    Right? 🙂

  2. Anatharias
    November 23, 2017 at 1:18 am
    Reply

    is there a way to activate Touch ID system wide? Right now sometimes you type the password, other times you use Touch ID. This is ridiculous
    Thanks

  3. Michel Lesoinne
    December 26, 2017 at 5:39 pm
    Reply

    Thanks for this write up. It is very useful.
    As for the sudo via ssh, maybe you should be a bit clearer. I wasn’t sure what you meant by ‘this caveat is Touch ID-specific’. Essentially, you STILL can sudo but with a password. The system knows you are not logged in from the computer screen/keyboard and does not even try the touch ID.

  4. Max Coplan
    September 20, 2018 at 10:20 pm
    Reply

    There are a bunch of other files in /etc/pam.d. What would adding this line to the top of those do? For example, would adding it to /etc/pam.d/su work? What do the other files do?

  5. Ram
    January 25, 2019 at 7:00 pm
    Reply
  6. Jeff Porten
    July 12, 2019 at 6:22 pm
    Reply

    This might be out of date—on my 10.13 machine, this edit pops up the TouchID panel but touching the button does not do anything. (This is a sometimes problem I have with other apps on my 2016 MBP, so possibly local to me, but I’ve never seen this consistently.)

    • Ashley Kleynhans
      October 3, 2019 at 12:40 pm
      Reply

      This doesn’t work anymore for me either on 10.14. It worked on my older Macbook Pro.

  7. Martin Erni
    April 30, 2020 at 2:30 pm
    Reply

    still working on my MacBook Pro 2017 with macOS 10.14.6 : but only in Terminal NOT in iTerm 😦

    • idnk
      May 20, 2020 at 8:15 am
      Reply
      • Martin Erni
        May 20, 2020 at 8:28 am

        found another solution yesterday 😉 but thank you @idnk , will have a look at your hint too
        – Settings
        – Advanced
        – Allow sessions to survive logging out and back in => NO
        – re-Start iTerm

  1. No trackbacks yet.

Leave a reply to Max Coplan Cancel reply