- OS: MacOS Sonoma 14.5
- Device: M1 MacBook Pro
In macOS Sonoma, a new method has been introduced to enable Touch ID when running sudo
commands, making it more persistent across system updates. Previously, editing the /etc/pam.d/sudo
file was necessary, but these changes would often revert after an update, requiring reconfiguration. With Sonoma, the settings can be added to a separate file /etc/pam.d/sudo_local
, which isn't overwritten during updates, allowing Touch ID to remain enabled for sudo
commands consistently.
Create a new configuration file based on the template provided in macOS Sonoma.
sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
Edit the newly created file with your preferred text editor:
sudo vim /etc/pam.d/sudo_local
In the file, locate the following line, Uncomment it by removing the #
:
- #auth sufficient pam_tid.so
+ auth sufficient pam_tid.so
You can achieve the same result with a single command using sed
and tee
:
sed -e 's/^#auth/auth/' /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local
Open a new terminal session and run a sudo
command to test the setup:
sudo ls
You should be prompted to authenticate using Touch ID. If the command executes after Touch ID authentication, the setup is complete.
Previously, enabling Touch ID for sudo
required modifying /etc/pam.d/sudo
, but these changes did not persist through macOS updates. By leveraging the new /etc/pam.d/sudo_local
configuration in macOS Sonoma, we can ensure that Touch ID settings for sudo
remain intact even after system updates.
The /etc/pam.d/sudo
file now includes the following:
# sudo: auth account password session
auth include sudo_local
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
This configuration ensures that the settings in /etc/pam.d/sudo_local
are loaded and used, maintaining Touch ID functionality for sudo
commands.
Please note that for macOS versions earlier than Sonoma, manual editing of /etc/pam.d/sudo
is still required to enable Touch ID for sudo
commands.