Add Apple Watch authentication to sudo
Note: This article was written in for Intel Macs (not Apple Silicon) that do not have TouchID. If you have a modern Mac, then I recommend Add TouchID authentication to sudo.
Since 1Password added Apple Watch unlock I’ve wondered if there are other situations when I need to enter my password where it instead require a click of my Watch instead. I recently came across an article about how to make sudo work with Touch ID, which is nice, but my iMac Pro doesn’t have Touch ID. I went searching though and found pam-watchid!
This is a PAM module for using the Watch – exactly what I want.
It’s Open Source, so you compile it yourself as per the README, so make sure you have Xcode or the Xcode Command Line Tools installed:
- Download the latest ZIP file
- Unzip, which by default creates a folder called pam-watchid-main
- Open Terminal and install it:
- $ cd ~/Downloads/pam-watchid-main
- $ sudo make install
- Regsiter the new PAM module for sudo:
- Edit /etc/pam.d/sudo
- Add a new line under line 1 (which is a comment) containing:
auth sufficient pam_watchid.so
(Leave all other lines in this file.)
That’s it. Now, whenever you use sudo, you have the option of using your Watch to authenticate.
Thanks for that. Followed all steps and also get the dialog but on the watch nothing happens.
Unlocking the Mac works so do I need to change something on the watch as well?
I didn't have to do anything with my Watch which is updated to the latest version of WatchOS.
I got an error trying to sudo make install:
watchid-pam-extension.swift:83:17: error: type 'LAPolicy' has no member 'deviceOwnerAuthenticationWithBiometricsOrWatch'; did you mean 'deviceOwnerAuthenticationWithBiometrics'?
Ok, just found that deviceOwnerAuthenticationWithBiometricsOr requires MacOS 10.15+.
https://developer.apple.com/documentation/localauthentication/lapolicy/deviceownerauthenticationwithbiometricsorwatch
I'm running Mojave 10.14
Nice find. Just want to add, that if you have a "M1" processor, you need to change the target in the makefile to: "TARGET = arm64-apple-macos11".
I tried this on an M1 Mac running macOS version 12.2.1 (21D62) and was told
`sudo: unable to initialize PAM: No such file or directory`
I tried both
auth sufficient pam_watchid.so "reason=execute a command as root"
and just
auth sufficient pam_watchid.so
but neither seemed to work.
Any ideas would be welcome
To fix the previous error that I reported, I needed to use the comment from 2 March 2021 which says to update the makefile to use
TARGET = arm64-apple-macos11
After reboot I had to re-edit /etc/pam.d/sudo – is there a way to make this more permanent? MacOS version: 11.7.2 (20G1020)
This is not happening for me on Ventura.