DEV Community

Cover image for Configure Touch ID for sudo access in Terminal.app without prompting for a password to authenticate.
Ruslan Kh.
Ruslan Kh.

Posted on • Updated on

Configure Touch ID for sudo access in Terminal.app without prompting for a password to authenticate.

Devices listed below have fingerprint scanner (Touch ID) to simplify login process but this is not exposed in Terminal.app. So each time you run commands with elevated privileges you need to type in your password.

Compatibility list:

  • MacBook Air (13-inch, M3, 2024)
  • MacBook Air (15-inch, M3, 2024)
  • MacBook Air (15-inch, M2, 2023)
  • MacBook Air (13-inch, M2, 2022)
  • MacBook Air (M1, 2020)
  • MacBook Pro (13‑inch, M2, 2022)
  • MacBook Pro (13-inch, M1, 2020)
  • MacBook Pro (14‑inch, 2023)
  • MacBook Pro (14‑inch, 2021)
  • MacBook Pro (16‑inch, 2023)
  • MacBook Pro (16-inch, 2021)
  • iMac (24-inch, M3, 2023)
  • iMac (24-inch, M1, 2021)
  • Mac Studio (2023)
  • Mac Studio (2022)
  • Mac mini (2023)
  • Mac mini (M1, 2020)
  • Mac Pro (2023)

Magic Keyboard with Touch ID for Mac models with Apple silicon

Magic Keyboard's Touch ID functionality is compatible with the following MacBook/iMac models:

  • MacBook Air (M1, 2020)
  • MacBook Pro (13", M1, 2020)
  • MacBook Pro (14", 2021)
  • MacBook Pro (16", 2021)
  • iMac (24", M1, 2021)
  • Mac mini (M1, 2020)

Please note that the keyboard will still pair and function with devices older than those listed, but that Touch ID functionality will not be enabled.

Setup PAM module to use Touch ID:

To allow Touch ID on your Mac to authenticate you for sudo access instead of a password prompt you need to do the following simple changes.

Open Spotlight:

Open Spotlight system application
Spotlight application

Type terminal in Spotlight input field and open it:

Type

Open Terminal:

Terminal.app

Switch to the root user.

Switch to the root user by typing the command sudo su - and enter the password:



sudo su -


Enter fullscreen mode Exit fullscreen mode

switching to root user

Edit /etc/pam.d/sudo:

Open the /etc/pam.d/sudo file with you favorite editor such as vim or nano:



nano /etc/pam.d/sudo


Enter fullscreen mode Exit fullscreen mode

Open /etc/pam.d/sudo

The contents of this file should look like one of the following example:
/etc/pam.d/sudo file contents

Add the following line to the top of the file:



auth       sufficient     pam_tid.so


Enter fullscreen mode Exit fullscreen mode

The modified contents of /etc/pam.d/sudo file should look like following example:
Modified /etc/pam.d/sudo file contents

Save the file:

  • for nano, press the specified combination (with sign “+”) of keys simultaneously: ```bash

CTRL+o
CTRL+x


* for vim:
```bash


<ESC>
:wq


Enter fullscreen mode Exit fullscreen mode

Allow the system to save the changes.

Press OK button:
Allow to modify system settings

Also note that pam_smartcard.so may not be present on older MacOS versions. Tested with macOS Ventura (13.1).

Exit from the shell.

Exit from the root shell by typing command: exit.

Try to use sudo, and you should be prompted to authenticate with Touch ID as shown below.



sudo echo "Check Touch ID"


Enter fullscreen mode Exit fullscreen mode

Running Touch ID with sudo comand

If you click ‘Cancel,’ you can just enter your password at the terminal prompt. If you click ‘Use Password’ you can enter your password in the dialog box.

If you connect to your macOS via SSH, it will revert to using your password, since you cannot send Touch ID fingerprints over SSH.

Note: Recent MacOS updates may remove the entry. If Touch ID stops working for sudo then check if the entry was removed and add it back in, following these instructions again.

F.A.Q.

Does it work with Warp terminal?

  • Yes, additional settings are not required.

Warp terminal and Touch ID

Does it work with iTerm2?

  • Yes, but additional settings may be required.

iTerm2 terminal and Touch ID

If you are using iTerm2 (v3.2.8+), you may have noticed that Touch ID does not work with sudo in the terminal, even though you have done the pam_tid.so modification above and it worked in earlier versions. This is due to an advanced feature that seems to be enabled by default now - it needs to be disabled here: iTerm2->Preferences > Advanced > Allow sessions to survive logouts and logins.

Set to

Top comments (2)

Collapse
 
guykh profile image
Guy Khmelnitsky

Awesome! Thanks for that!

Collapse
 
argo_saakyan_9772ced462f6 profile image
Argo Saakyan

That's neat!