Pragmatism in the real world

Add TouchID authentication to sudo

Now that I have a TouchID enabled Mac, I want to be able use TouchID for sudo access.

There’s a pam module available, so it just needs enabling:

  • Edit /etc/pam.d/sudo
  • Add a new line under line 1 (which is a comment) containing:
    auth       sufficient     pam_tid.so

    (Leave all other lines in this file.)

That’s it. Now, whenever you use sudo, you have the option of using TouchID to authenticate.

Screenshot 2021 11 15 at 11 08 18

Scripting it

It turns out that whenever there’s an OS update, /etc/pam.d/sudo is reset, so you need to re-add the line. Hence, I wrote a script called /usr/local/bin/enable-touch-id:

#!/usr/bin/env bash

set -e

case `grep -F "pam_tid" /etc/pam.d/sudo >/dev/null; echo $?` in
  0)
    echo "TouchID unlock already in place"
    exit 0
    ;;
  1)
    sudo sed -i '' '1a\
auth       sufficient     pam_tid.so
    ' /etc/pam.d/sudo

    echo "TouchID unlock enabled"
    ;;
  *)
    echo "Error trying to read /etc/pam.d/sudo"
    ;;
esac

Don’t forget to enable execute permissions with chmod a+x /usr/local/bin/enable-touch-id and then you can simply run it after every OS update.

2 thoughts on “Add TouchID authentication to sudo

  1. The script worked like a charm. Much better than editing the file after every OS update. Thanks for sharing!

Comments are closed.