use-touchid-for-sudo-on-macos.md

This is just a note to my future self - no assurances it will work for you!

This fix isn't permanent and will be overwritten by the system arbitrarily, hence why I wrote down the steps and script that worked for me here so I can easily set it again. The previous sentence was true until macOS Sonoma (14) was released, which now allows TouchID for sudo to persist across updates and restarts. The script will automatically detect if you are on Sonoma or later and apply that permanent change instead of the earlier, non-permanent fix.

Usage

Copy + run the line below.

curl -fsSL https://gist.githubusercontent.com/uncenter/604233698c41f1c54079760b93fbabf0/raw/x.sh | sh

Manual method

• Open /etc/pam.d/sudo in your editor with sudo. You should see something similar to the following examples:

# sudo: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

• Add an additional line, auth sufficient pam_tid.so, to the top:

# sudo: auth account password session
+ auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

If you are unable to save the file in your editor, either try the next set of instructions or if you are using a visual editor like Visual Studio Code, try the above instructions again but in a command line editor such as vi, vim, nvim, helix, etc.

Alternative manual method (not recommended)

• In your preferred terminal, copy and paste the contents of /etc/pam.d/sudo (cat /etc/pam.d/sudo) into a new temporary file: cat /etc/pam.d/sudo >> temp.txt).
• temp.txt should now look (cat temp.txt) similar to one of the following:

# sudo: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

• Edit temp.txt and add an additional line (auth sufficient pam_tid.so) to the top so it now looks like this:

# sudo: auth account password session
+ auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

• To make our changes have an effect, we need to replace the old file with our new one: sudo cp temp.txt /etc/pam.d/sudo

x.sh

#!/usr/bin/env sh

if [ ! $(uname) = "Darwin" ]; then
    echo "This script is for macOS only."
    exit 1
fi

string="auth       sufficient     pam_tid.so"

if [ $(sw_vers -productVersion | awk -F'.' '{print $1}') = "14" ]; then
  file=/etc/pam.d/sudo_local
  
  if [ -f "$file" ]; then
    echo "ERROR: $file already exists"
    exit 1
  fi
 
  if echo $string | sudo tee $file > /dev/null; then
    echo "Success! TouchID with sudo has been enabled."
  else
    echo "ERROR: Failed to modify $file."
    exit 1
  fi
else
  file=/etc/pam.d/sudo
  
  if [ ! -f "$file" ]; then
    echo "ERROR: $file not found"
    exit 1
  fi
  
  if grep -q "$string" "$file"; then
    echo "TouchID with sudo is already enabled. No changes needed!"
    exit 0
  fi
 
  if sudo sed -i '' "2s/^/$string\n/" "$file"; then
    echo "Success! TouchID with sudo has been enabled."
  else
    echo "ERROR: Failed to modify $file."
    exit 1
  fi
fi