Use Touch ID for sudo on Mac

By  on  

The landscape of security is changing quite a bit. We've gone from basic username and password to 2FA, facial recognition, fingerprint recognition, and so on. Hell, my Mac unlocks simply when I have my Apple Watch near by. In the end, I probably use the Mac fingerprint key the most.

One functionality that still requires manually typing a password is using sudo from command line. Did you know, however, that you can instead require the fingerprint key instead of typing out your password?

# Open the sudo utility
sudo vi /etc/pam.d/sudo

# Add the following as the first line
auth sufficient pam_tid.so

Whether or not you'd prefer to type it out or simply use the fingerprint is obviously personal preference. Since you expect to be be typing in a command line, moving your finger to touch the key is probably not very efficient. If you do want to use fingerprint, however, here you go!

Recent Features

  • By
    Camera and Video Control with HTML5

    Client-side APIs on mobile and desktop devices are quickly providing the same APIs.  Of course our mobile devices got access to some of these APIs first, but those APIs are slowly making their way to the desktop.  One of those APIs is the getUserMedia API...

  • By
    Designing for Simplicity

    Before we get started, it's worth me spending a brief moment introducing myself to you. My name is Mark (or @integralist if Twitter happens to be your communication tool of choice) and I currently work for BBC News in London England as a principal engineer/tech...

Incredible Demos

  • By
    CSS Transforms

    CSS has become more and more powerful over the past few years and CSS transforms are a prime example. CSS transforms allow for sophisticated, powerful transformations of HTML elements.  One or more transformations can be applied to a given element and transforms can even be animated...

  • By
    Multiple Backgrounds with CSS

    Anyone that's been in the web development industry for 5+ years knows that there are certain features that we should have had several years ago. One of those features is the HTML5 placeholder; we used JavaScript shims for a decade before placeholder came...

Discussion

  1. Luka

    First you need to make the file writable (it is not by default). And you need to do this after every macOS update, because macOS updates reset the file content.

  2. Yohann Paris

    Nice trick. Unfortunately, on Big Sur, at least, it pops up the touch id alert to use it only when the session is terminated, so it’s not useful.

  3. Mehdi Abbassi

    But it is read-only!

  4. Robert Coggeshall

    As the co-author of sudo, I am amused :)

  5. No need to make it writable when editing it with vi, you just add a ! to the save and exit command (:wq!) and it will save it corectly – it will even preserve the read only state of the file.

    Works nicely on Big Sur for me, it pops up the touch id alert, I touch and sudo all the things =)

  6. Is there a way to make sudo work with the Apple Watch as well?

  7. You can also:
    *browse to the folder using finder,
    *edit the file with vscode, or any other code editor
    *save it to desktop
    *delete original file
    *and place the edited

  8. same with nano you don’t need to make it writable.

    sudo nano /etc/pam.d/sudo
    
  9. Thomas B

    You may want to update this for Sonoma – or simple add a pointer to https://0xmachos.com/2023-10-01-Touch-ID-sudo/

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!