DEV Community

Cover image for Enable Touch ID Authentication for sudo on macOS Sonoma 14.x
Siddhant Khare
Siddhant Khare

Posted on

Enable Touch ID Authentication for sudo on macOS Sonoma 14.x

Operating Environment:

  • OS: MacOS Sonoma 14.5
  • Device: M1 MacBook Pro

Explanation

In macOS Sonoma, a new method has been introduced to enable Touch ID when running sudo commands, making it more persistent across system updates. Previously, editing the /etc/pam.d/sudo file was necessary, but these changes would often revert after an update, requiring reconfiguration. With Sonoma, the settings can be added to a separate file /etc/pam.d/sudo_local, which isn't overwritten during updates, allowing Touch ID to remain enabled for sudo commands consistently.

Steps to Enable Touch ID for sudo

1. Create and Edit the Configuration File

Create a new configuration file based on the template provided in macOS Sonoma.



sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local


Enter fullscreen mode Exit fullscreen mode

Edit the newly created file with your preferred text editor:



sudo vim /etc/pam.d/sudo_local


Enter fullscreen mode Exit fullscreen mode

In the file, locate the following line, Uncomment it by removing the #:



- #auth       sufficient     pam_tid.so
+ auth       sufficient     pam_tid.so


Enter fullscreen mode Exit fullscreen mode

Alternative Method Using sed and tee

You can achieve the same result with a single command using sed and tee:



sed -e 's/^#auth/auth/' /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local


Enter fullscreen mode Exit fullscreen mode

2. Confirm the Operation

Open a new terminal session and run a sudo command to test the setup:



sudo ls


Enter fullscreen mode Exit fullscreen mode

You should be prompted to authenticate using Touch ID. If the command executes after Touch ID authentication, the setup is complete.

Screenshot 2024-06-22 at 4 48 00 PM

Background

Previously, enabling Touch ID for sudo required modifying /etc/pam.d/sudo, but these changes did not persist through macOS updates. By leveraging the new /etc/pam.d/sudo_local configuration in macOS Sonoma, we can ensure that Touch ID settings for sudo remain intact even after system updates.

The /etc/pam.d/sudo file now includes the following:



# sudo: auth account password session
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so


Enter fullscreen mode Exit fullscreen mode

This configuration ensures that the settings in /etc/pam.d/sudo_local are loaded and used, maintaining Touch ID functionality for sudo commands.

Please note that for macOS versions earlier than Sonoma, manual editing of /etc/pam.d/sudo is still required to enable Touch ID for sudo commands.

Top comments (0)