Tech tip: Authenticating sudo with Touch ID on Mac OS

By Michael O'Hara | Posted 10 mos ago
  • Blog
  • Work

If you are anything like me, your're a bit lazy. And laziness breeds a desire to do things efficiently. (Or at least that is what I tell myself). One of the things that I love about Mac OS on the modern Macs with the touchbar is being able to use Touch ID to authenticate many activities on Mac.

As a developer, I find myself working quite a bit in Terminal (or iTerm) and until recently I was mildly fustrated that authenticating terminal commands still needed a typed password. I wondered if there was a better way.

Turns out there is.

With a couple of quick terminal commands and lite file editing you can too, use Touch ID to authenticate your Terminal commands!

Let's dive in.

First thing's first, open a terminal of your choice and navigate to /etc/pam.d/

and sudo edit the file named sudo in the editor of your choice. In my example I will edit with nano.

On line two (under the first comment) make a new line and insert the following auth sufficient pam_tid.so so that it looks like the below screenshot

Save the file and now you should have the ability to authenticate with Touch ID in terminal!

The nice thing also is if for whatever reason it is unable to authenticate with Touch ID or the service is disabled, it should fall back to password authentication so you won't be stuck. I have not validated situations like remote authentication over ssh, so I do not know how well that will work.

Caveat

But wait! It's not working in iTerm2! Have no fear. I also daily drive iTerm2 and I have run into this issue as well and there is a fix. By default iTerm enables a feature that breaks non out-of-box authentication means via command line. To fix it in iTerm2 simply open up Preferences (⌘,) and navigate to Advanced and search for Allow sessions to survive logging out and back in and turn that off. Restart iTerm2 and now you should be working as expected.

Other Reading

If you want to make it even more fun, and you have an Apple Watch, you can also enable Watch authentication of terminal commands with this handy library: https://github.com/biscuitehh/pam-watchid Check it out!

That's all for now. If you have any questions, or have tried this out yourself leave a comment and let me know how it went.


 

Comments

No Comments Yet.

Add a comment