Apple macOS Touch ID for Sudo

How to use your Touch ID for Sudo commands

Home / Posts / Apple macOS Touch ID for Sudo

If you are like me and a bit lazy, the touch id (apples fingerprint implementation) is a really nice addition from Apple. It allows for easy lock/unlock of the mac itself and for some authentication within.

By default the touch id is not used for sudo commands in the terminal. For which you will be asked for a password as usual. But it is possible to use the touch id for sudo commands as well, for this you need an extension of the /etc/pam.d/sudo file.

Add the following entry auth sufficient pam_tid.so, the file should look like this file should look like this.

1
2
3
4
5
6
7
# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Addition for tmux users

I started to use tmux recently and the Touch ID for sudo stopped working. To renable it, you first need to install pam_reattach, then edit the /etc/pam.d/sudo file like this.

1
2
3
4
5
6
7
8
# sudo: auth account password session
auth       optional       pam_reattach.so
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy