If you are like me and a bit lazy, the touch id (apples fingerprint implementation) is a really nice addition from Apple. It allows for easy lock/unlock of the mac itself and for some authentication within.

By default the touch id is not used for sudo commands in the terminal. For which you will be asked for a password as usual. But it is possible to use the touch id for sudo commands as well, for this you need an extension of the /etc/pam.d/sudo file.

Add the following entry auth sufficient pam_tid.so, after that the file should look like this.

1
2
3
4
5
6
7

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Now your touch id is ready to be used for sudo. Run any command and your mac will prompt you for your finger :)

Addition for tmux users

I started to use tmux recently and the Touch ID for sudo stopped working. To renable it, you first need to install pam_reattach, then edit the /etc/pam.d/sudo file like this.

1
2
3
4
5
6
7
8

# sudo: auth account password session
auth       optional       pam_reattach.so
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so