Using TouchID for sudo in the terminal on the Mac

You’ve got this shiny toy in your Mac that lets you use your fingerprint for authentication, and for some reason when you need to elevate your privileges, it doesn’t use that sensor. Epic Fail!

Fortunately, the facility is there. Apple just chose not to enable it for some reason only they know. Since MacOS uses PAM, it is very easy to enable the TouchID sensor for sudo (or any other facility that uses PAM for its authentication).

The files you need to look at are in /etc/pam.d.

I recommend before you do any of this, you open a terminal window, and run sudo -s to get a root shell, and then keep that window to the side. That way if you mess up the sudo file, you can recover the backup of the file you are going to make when yourself out of using sudo.

Edit the file /etc/pam.d/sudo (you need to use sudo, as only root can edit this file) and add the line

auth       sufficient     pam_tid.so

after the smartcard line. Order matters in this file! This will allow a smartcard to still work without the fingerprint. You could also add it later in the file to make it so that both the password AND your fingerprint is required. PAM is very flexible in this way. But for most people just making the fingerprint work, and fall back to the password if it fails, putting this one line will add the function you want.

The following command will patch the PAM sudo module to enable TouchID (all one line):

echo -ne "2a3\n> auth       sufficient     pam_tid.so\n" | sudo patch -b /etc/pam.d/sudo

This will create a backup file called sudo.orig which you can remove once you are sure the patch applied correctly.

Note: Every time Apple updates the OS, you will need to run this command as they restore the file back to their default.

Here is a script you can use that will update the pam setting if it has not already been updated, and leave it alone if it’s already installed:

#!/bin/bash

if [ $( whoami ) == "root" ]
then
{
if [[ $( grep pam_tid.so /etc/pam.d/sudo ) ]]
then
	echo "TouchID already enabled"
else

sed -i '' '1 a\
auth sufficient pam_tid.so\
' /etc/pam.d/sudo
echo "Enabling TouchID for sudo";

fi
}
else
echo "You must be root (sudo) to run this."
fi

Leave a Comment