Can Touch ID on Mac authenticate sudo in Terminal?

Question

Can Touch ID on Mac authenticate sudo in Terminal?

Answer 1

To allow TouchID on your Mac to authenticate you for sudo access instead of a password you need to do the following.

• Open Terminal

• Switch to the root user with sudo su -

• Edit the /etc/pam.d/sudo file with a command-line editor such as vim or nano

• The contents of this file should look like one of the following examples:

  • # sudo: auth account password session
    auth       required       pam_opendirectory.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so
    

  • # sudo: auth account password session
    auth       sufficient     pam_smartcard.so
    auth       required       pam_opendirectory.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so
    

• You need to add an additional auth line to the top so it now looks like this:

  # sudo: auth account password session
  auth       sufficient     pam_tid.so
  auth       sufficient     pam_smartcard.so
  auth       required       pam_opendirectory.so
  account    required       pam_permit.so
  password   required       pam_deny.so
  session    required       pam_permit.so
  

• Save the file. (Note: this file is normally read-only so saving your changes may require you to force the save, e.g. vim will require you to use wq! when saving)

• Also note that pam_smartcard.so may not be present on older MacOS versions.

• Exit from the root user or start a new terminal session.

• Try to use sudo, and you should be prompted to authenticate with TouchID as shown below.

  

• If you click 'Cancel,' you can just enter your password at the terminal prompt. If you click 'Use Password' you can enter your password in the dialog box.

• If you SSH into your machine it will fall back to just use your password, since you can't send your TouchID fingerprints over SSH.

Note: See answer by user Pierz below if you're using iTerm, as there's a setting you need to explicitly change to enable this feature.

Note: Recent MacOS updates may remove the entry. If TouchID stops working for sudo then check if the entry was removed and add it back in, following these instructions again.

Answer 2

If you're using iTerm2 (v3.2.8+) you may have seen Touch ID failing to work with sudo in the terminal despite having made the pam_tid.so modification as above, and it working in previous versions. This is down to an advanced feature that seems to be now enabled by default - this needs to be turned off here: iTerm2->Preferences > Advanced > (Goto the Session heading) > Allow sessions to survive logging out and back in.

Alternatively you can use this pam_reattach module to retain the session feature and TouchID sudo at the same time.

Answer 3

1. TouchID does support elevating privileges, but as of now, it only seems to be supported in Apple's own apps. My guess is that 3rd party apps will have to be updated to support it, unfortunately. I still end up typing in my password a lot.

2. See @conorgriffin's answer for instructions to enable TouchID for sudo.

Answer 4

I have created a simple script that enables sudo to use the TouchID PAM module exactly as conorgriffin explains. It does it in a single script that you can copy-paste to a terminal in it's entirety or use the "curl pipe bash" shortcut:

curl -sL https://gist.githubusercontent.com/RichardBronosky/31660eb4b0f0ba5e673b9bc3c9148a70/raw/touchid_sudo.sh | bash

The complete script:

#!/usr/bin/env bash 

# curl -sL https://gist.githubusercontent.com/RichardBronosky/31660eb4b0f0ba5e673b9bc3c9148a70/raw/touchid_sudo.sh | bash
# This script is ready to copy-paste in whole, or just the line above (without the leading #)

# Use TouchID for sudo on modern MacBook Pro machines
# This script adds a single line to the top of the PAM configuration for sudo
# See: https://apple.stackexchange.com/q/259093/41827 for more info.

touchid_sudo(){
  sudo bash -eu <<'EOF'
  file=/etc/pam.d/sudo
  # A backup file will be created with the pattern /etc/pam.d/.sudo.1
  # (where 1 is the number of backups, so that rerunning this doesn't make you lose your original)
  file_dir="$(dirname "$file")"
  file_name="$(basename "$file")"
  mapfile -t backup_list < <( ls -A "$file_dir"/{,.}"$file_name"* 2>/dev/null )
  backup_count="${#backup_list[@]}"
  backup_ext="$backup_count"
  backup="$file_dir/.$file_name.$backup_ext"
  cp "$file" "$backup" 2>/dev/null || touch "$file" "$backup"

  awk -v is_done='pam_tid' -v rule='auth       sufficient     pam_tid.so' '
  {
    # $1 is the first field
    # !~ means "does not match pattern"
    if($1 !~ /^#.*/){
      line_number_not_counting_comments++
    }
    # $0 is the whole line
    if(line_number_not_counting_comments==1 && $0 !~ is_done){
      print rule
    }
    print
  }' > $file < $backup
EOF
}

touchid_sudo

This script demonstrates a few cool patterns that I love to teach people who are new to bash or DevOps.

1. Create a backup file that is numbered rather than simply .bak on the end. (It looks gnarly, but that pattern works with whatever is in $file and is reusable.
2. To make it safe to do curl ... | bash, wrap everything in a function and call it on the last line. That way if the download is interrupted, nothing is (partially) done.
3. Put a call to sudo bash -eu in your script so that you don't have tell the user to do it. (-eu are short for errexit and nounset and you should be using them!)
4. Single quoting bash heredoc 'EOF' to prevent premature shell expansion.
5. Making inline awk more readable.

Answer 5

You can use fingerprint for getting sudo access in the terminal or iTerm, just add auth sufficient pam_tid.so to the first line to your /etc/pam.d/sudo file.

Answer 6

To wrap up Andy and Glenjamin's solution into one play:

---
- hosts: localhost
  tasks:
  - name: install pam_reattach pam module
    homebrew:
      name: pam-reattach
      state: present
    register: reattach_result

  - name: detect touch id support
    shell: pgrep ControlStrip
    ignore_errors: true
    register: touch_id_result

  - name: enable touch id for sudo commands
    lineinfile:
      path: /etc/pam.d/sudo
      line: 'auth       sufficient     pam_tid.so'
      insertbefore: '^auth       sufficient     pam_smartcard.so$'
    become: yes
    when: touch_id_result.rc == 0 and touch_id_result.stdout != ''

  - name: enable persistent touch id for tmux and iterm
    lineinfile:
      path: /etc/pam.d/sudo
      line: 'auth       optional       pam_reattach.so'
      insertbefore: '^auth       sufficient     pam_tid.so$'
    become: yes
    when: reattach_result == 0

This can be run with just ansible-playbook sudo-touchid.yml, where sudo-touchid.yml is what I named this play.

The first step installs Fabian's pam_reattach, which allows sudo to work in iTerm, tmux, etc.

The second checks to see if this Mac has a touchbar; otherwise we're going to bail out.

Third, we're seeing if we already added pam_tid.so to /etc/pam.d/sudo, and only if there is a touchbar.

Finally, we also add pam_reattach.so as an optional auth method. According to the author, he might have have some unknown bug, and if we used required it could result in a lockout.

Answer 7

I created the following ansible tasks to enable touch id for sudo commands if your computer supports it:

- name: detect touch id support
  shell: pgrep ControlStrip
  ignore_errors: true
  register: touch_id_result

- name: enable touch id for sudo commands
  lineinfile:
    path: /etc/pam.d/sudo
    line: 'auth       sufficient     pam_tid.so'
    insertbefore: '^auth       sufficient     pam_smartcard.so$'
  become: yes
  when: touch_id_result.rc == 0 and touch_id_result.stdout != ''

Answer 8

My 1 string answer:

sudo su root -c 'chmod +w /etc/pam.d/sudo && echo "auth       sufficient     pam_tid.so\n$(cat /etc/pam.d/sudo)" > /etc/pam.d/sudo && chmod -w /etc/pam.d/sudo'

What does a command do?

1. First, I indicate that I want to do everything from root (using sudo, the trick will not work (more precisely, it will, but more difficult to implement)
2. Then I give write permissions to /etc/pam.d/sudo
3. Then I add the line auth sufficient pam_tid.so to the beginning of the file. See that post
4. Then I take away the granted write permissions /etc/pam.d/sudo , taking into account Matin ZD remarks

P.S. While experimenting broke sudo and su in the terminal, it is repaired like this https://support.apple.com/en-us/HT204012 enable root

su - root
vim /etc/pam.d/sudo

Revert the file to its original state

Answer 9

This one-liner will insert the auth line described here as the second line of the sudo config file (so that it appears first after the comment line).

sudo sed -i -- '2s/^/auth sufficient pam_tid.so\n/' /etc/pam.d/sudo

Answer 10

Here's a Gist to make it as simple as possible.

https://gist.github.com/fraune/0831edc01fa89f46ce43b8bbc3761ac7

Answer 11

One thing to mention is that you should first change the file permission then try to make changes:

sudo su -
chmod u+w /etc/pam.d/sudo

Adding this line at first line:

# sudo: auth account password session
auth       sufficient     pam_tid.so # << Add this here ;)
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Then revert it back file permissions when you are done with:

chmod u-w /etc/pam.d/sudo