Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save Siddhant-K-code/6b653f4f356c06da9dd80ed33182cca2 to your computer and use it in GitHub Desktop.
Save Siddhant-K-code/6b653f4f356c06da9dd80ed33182cca2 to your computer and use it in GitHub Desktop.
Enable Touch ID Authentication for sudo on MacOS Sonoma

Enable Touch ID Authentication for sudo on macOS Sonoma 14.x

Operating Environment:

  • OS: MacOS Sonoma 14.5
  • Device: M1 MacBook Pro

Explanation

In macOS Sonoma, a new method has been introduced to enable Touch ID when running sudo commands, making it more persistent across system updates. Previously, editing the /etc/pam.d/sudo file was necessary, but these changes would often revert after an update, requiring reconfiguration. With Sonoma, the settings can be added to a separate file /etc/pam.d/sudo_local, which isn't overwritten during updates, allowing Touch ID to remain enabled for sudo commands consistently.

Steps to Enable Touch ID for sudo

1. Create and Edit the Configuration File

Create a new configuration file based on the template provided in macOS Sonoma.

sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local

Edit the newly created file with your preferred text editor:

sudo vim /etc/pam.d/sudo_local

In the file, locate the following line, Uncomment it by removing the #:

- #auth       sufficient     pam_tid.so
+ auth       sufficient     pam_tid.so

Alternative Method Using sed and tee

You can achieve the same result with a single command using sed and tee:

sed -e 's/^#auth/auth/' /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local

2. Confirm the Operation

Open a new terminal session and run a sudo command to test the setup:

sudo ls

You should be prompted to authenticate using Touch ID. If the command executes after Touch ID authentication, the setup is complete.

Screenshot 2024-06-22 at 4 48 00 PM

Background

Previously, enabling Touch ID for sudo required modifying /etc/pam.d/sudo, but these changes did not persist through macOS updates. By leveraging the new /etc/pam.d/sudo_local configuration in macOS Sonoma, we can ensure that Touch ID settings for sudo remain intact even after system updates.

The /etc/pam.d/sudo file now includes the following:

# sudo: auth account password session
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

This configuration ensures that the settings in /etc/pam.d/sudo_local are loaded and used, maintaining Touch ID functionality for sudo commands.

Please note that for macOS versions earlier than Sonoma, manual editing of /etc/pam.d/sudo is still required to enable Touch ID for sudo commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment