sudo: Authenticate with Touch ID, including Apple Watch

Having to enter a password when asked by a sudo command gets old, very quickly, when you have a long password. More so, it’s relatively insecure. Apart from the potential of keyboard loggers, I’m always paranoid that, however fast I can type, some hi-jinxing team mates could always be videoing my hands, fingers and keyboard! Using an external physical device, like a YubiKey for example, is much safer. However, if you have a MacBook with Touch ID or an Apple Watch, they can be used to authenticate your sudo commands instead 😎

Making an addition to the /etc/pam.d/sudo file is all that’s required.

Step 1

We need to temporarily allow the file to be modifiable, so:

1
sudo chmod 644 /etc/pam.d/sudo

Step 2

Using a suitable editor (e.g. sudo vi /etc/pam.d/sudo), add the line auth sufficient pam_tid.so to the top of the file so that the contents look something like…

1
2
3
4
5
6
7
# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Step 3

Important: Remember to remove those earlier permissions from the file, e.g.:

1
sudo chmod 444 /etc/pam.d/sudo

That’s it

Now, when you attempt a sudo command, you’ll be prompted with a Touch ID authentication in lieu of entering your administrator password. Either respond by placing an appropriate finger on the Touch ID reader, or ‘OK’ the notification on your Apple Watch (if that’s enabled in Preferences > Security & Privacy). Yay 🎉

[UPDATE] Automating the above

Each time the OS gets updated, the modifications described above appear to get ‘reset’ to the default state (i.e. “no more sudo Touch ID for you!”). So, prompted to have to repeat these changes, I’ve wrapped them up into a script.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#!/bin/sh
file=/etc/pam.d/sudo
if grep -q "pam_tid" "$file"; then
  echo "🎉 Touch ID is already enabled for command-line auth"
else
  echo "🤓 Enabling Touch ID for command-line auth"
  tid_auth="auth       sufficient     pam_tid.so"
  identifier="# sudo: auth account password session"
  sudo chmod 644 "$file"
  sudo sed -E -i '' "s/^($identifier)/\1\n$tid_auth/" "$file"
  sudo chmod 444 "$file"
fi

Create a file with that content, named something like tid (for example).

Then:

  • make it executable

    1
    
    chmod +x tid
    
  • run it

    1
    
    ./tid
    
  • [OPTIONAL] put it somewhere in your $PATH for future use - choose a location that’s good for you. I noticed a location under my home directory in my $PATH that looked appropriate.

    1
    2
    
    # echo $PATH
    mv tid ~/.local/bin
    

    Then it can be run at any time in future by simply issuing the command:

    1
    
    tid