Add TouchID authentication to sudo
Now that I have a TouchID enabled Mac, I want to be able use TouchID for sudo access.
There’s a pam module available, so it just needs enabling:
- Edit /etc/pam.d/sudo
- Add a new line under line 1 (which is a comment) containing:
auth sufficient pam_tid.so
(Leave all other lines in this file.)
That’s it. Now, whenever you use sudo, you have the option of using TouchID to authenticate.
It turns out that whenever there’s an OS update, /etc/pam.d/sudo is reset, so you need to re-add the line. Hence, I wrote a script called /usr/local/bin/enable-touch-id:
#!/usr/bin/env bash set -e case `grep -F "pam_tid" /etc/pam.d/sudo >/dev/null; echo $?` in 0) echo "TouchID unlock already in place" exit 0 ;; 1) sudo sed -i '' '1a\ auth sufficient pam_tid.so ' /etc/pam.d/sudo echo "TouchID unlock enabled" ;; *) echo "Error trying to read /etc/pam.d/sudo" ;; esac
Don’t forget to enable execute permissions with chmod a+x /usr/local/bin/enable-touch-id and then you can simply run it after every OS update.