Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo
commands.

Use your favorite text editor and open the file
/etc/pam.d/sudo
and add the following line
auth sufficient pam_tid.so
below the pam_smartcard.so
line as shown below and then save (Ctrl+O for pico
) the file.
$ sudo pico /etc/pam.d/sudo
UW PICO 5.09 File: /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth sufficient pam_tid.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
^G Get Help ^O WriteOut ^R Read File ^Y Prev Pg ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where is ^V Next Pg ^U UnCut Text^T To Spell
File Name to write : /etc/pam.d/sudo
^G Get Help ^T To Files
^C Cancel TAB Complete
[ Wrote 7 lines ]
^G Get Help ^O WriteOut ^R Read File ^Y Prev Pg ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where is ^V Next Pg ^U UnCut Text^T To Spell
That’s it. Now when you open a new Terminal window you can use TouchID to approve sudo commands. If you also have your Apple Watch set to unlock your Mac, you will also be able to approve sudo commands by double-clicking the side button on the watch.
Keep in mind that this file is somewhat protected by macOS so after each OS update you will need to add the line to the file. Other than that, it works perfectly!
Slick! Thank you!
For some reason this doesn’t work when using a mac in clamshell mode
For some reason this doesn’t work when using a mac in clamshell mode
Just a note that the config will be gone after a OS update. But nothing that a cronjob check after each restart of the computer cannot solve to make the life easier!
Hello.
Nice tutorial. However, I tried this on my Mac Studio. No TouchID enabled keyboard but I can and do enter into it with my Apple Watch and the above technique didn’t work.
Thank you.
If you’re a tmux/screen user and have found that this doesn’t work the solution is here. https://github.com/fabianishere/pam_reattach I have no relation to the developer and make no claims about the security of this code, but it has been working flawlessly on my machine for a while now.