macOS, sudo, and Touch ID

Here’s a quick cheat sheet for my own reference.

macOS supports the use of Touch ID for sudo authentication. Yes, I still love to live in the terminal, so this is an everyday, multiple times a day thing for me.

Fortunately, it’s a very quick edit to enable the functionality and it saves a TON of time (vs entering your password each time you run the sudo command - or worse, setting the NOPASSWD option.)

Edit PAM

Initial file contents

# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

me@macbookpro:~ # sudo vi /etc/pam.d/sudo

Insert as the first uncommented line: auth sufficient pam_tid.so

Resulting file contents

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Force save (:w!) then quit (:q)

And you’re done!

But there is a minor caveat….

In macOS, PAM cofiguration files are protected by System Integrity Protection (SIP) so they will be overwritten with every OS upgrade - by design.

It’s a bit annyoing and maybe some day I’ll dig into better options. But for now it’s a quick and generally painless edit after an OS update.