DEV Community

Cover image for Enable Touch ID Authentication for sudo on macOS Sonoma 14.x
Siddhant Khare
Siddhant Khare

Posted on

Enable Touch ID Authentication for sudo on macOS Sonoma 14.x

#macos #touchid #security #productivity

Operating Environment:

  • OS: MacOS Sonoma 14.5
  • Device: M1 MacBook Pro

Explanation

In macOS Sonoma, a new method has been introduced to enable Touch ID when running sudo commands, making it more persistent across system updates. Previously, editing the /etc/pam.d/sudo file was necessary, but these changes would often revert after an update, requiring reconfiguration. With Sonoma, the settings can be added to a separate file /etc/pam.d/sudo_local, which isn't overwritten during updates, allowing Touch ID to remain enabled for sudo commands consistently.

Steps to Enable Touch ID for sudo

1. Create and Edit the Configuration File

Create a new configuration file based on the template provided in macOS Sonoma.



sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
Enter fullscreen mode Exit fullscreen mode

Edit the newly created file with your preferred text editor:



sudo vim /etc/pam.d/sudo_local
Enter fullscreen mode Exit fullscreen mode

In the file, locate the following line, Uncomment it by removing the #:



- #auth       sufficient     pam_tid.so
+ auth       sufficient     pam_tid.so
Enter fullscreen mode Exit fullscreen mode

Alternative Method Using sed and tee

You can achieve the same result with a single command using sed and tee:



sed -e 's/^#auth/auth/' /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local
Enter fullscreen mode Exit fullscreen mode

2. Confirm the Operation

Open a new terminal session and run a sudo command to test the setup:



sudo ls
Enter fullscreen mode Exit fullscreen mode

You should be prompted to authenticate using Touch ID. If the command executes after Touch ID authentication, the setup is complete.

Screenshot 2024-06-22 at 4 48 00 PM

Background

Previously, enabling Touch ID for sudo required modifying /etc/pam.d/sudo, but these changes did not persist through macOS updates. By leveraging the new /etc/pam.d/sudo_local configuration in macOS Sonoma, we can ensure that Touch ID settings for sudo remain intact even after system updates.

The /etc/pam.d/sudo file now includes the following:



# sudo: auth account password session
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
Enter fullscreen mode Exit fullscreen mode

This configuration ensures that the settings in /etc/pam.d/sudo_local are loaded and used, maintaining Touch ID functionality for sudo commands.

Please note that for macOS versions earlier than Sonoma, manual editing of /etc/pam.d/sudo is still required to enable Touch ID for sudo commands.

Top comments (0)

Read next

alexroor4 profile image

The Architecture Behind Crypto Exchange Mining Pools

Alex Roor -

hadil profile image

🧹 The Art of Writing Clean Code: Why It Matters and How to Do It

Hadil Ben Abdallah -

lasserafn profile image

The Hidden Costs of Poor Code Quality: Why Testing Matters

Lasse Foo-Rafn -

petrussola profile image

Steps to fix package security vulnerabilities in your JS project

Pere Sola -