Sudo with macos and TouchID article cover

Sudo with macos and TouchID

by Bruno, on 03-Aug-2022

I am a lazy guy, and type my password kind of annoy me :-D

I’m addicted to home automation. There. Said it. But it’s just such a tremendous amount of fun to play with. I’m pretty sure it’s the SRE in me. Why do anything by hand when you can have computers do things for you? Why turn on the lights when you get home when it can happen automatically? Turn on the lights when you enter the bathroom? Barbaric! Turn them off? I’ve git better things to do! Why not wake up to the smell of freshly brewed coffee every morning instead of having to get out of bed first to turn on the coffee machine?

Last October, i got for myself one M1 Macbook pro.

It is a hell of a machine, powerful, silent and it comes with touchID.

I didn't change my laptop since my mid-2012 macbook pro, and this was a revolution !

I saw one day, one of my coworker edit files with sudo vi, no password typed, just put his finger on touchID pad, I always wanted to do the same, so i configured it.

By default, it is not configured on macos, you have to edit one file : /etc/pam.d/sudo

In this file, you'll find this content :

# sudo: auth account password session
    auth       sufficient     pam_smartcard.so
    auth       required       pam_opendirectory.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so

I just add the line : auth sufficient pam_tid.soso the file looks like this then :

# sudo: auth account password session
    auth       sufficient     pam_tid.so
    auth       sufficient     pam_smartcard.so
    auth       required       pam_opendirectory.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so

Bonus

On the day you update your mac, the /etc/pam.d/sudomay be overwritten by the update process. And your changes will be lost.

(I know it is one line to add to file, but if you are lazy like me, you will understand :D)

One github user, named tjluoma made a little script, named tjluoma/sudo-via-touch-id, that will check if the line is present in your /etc/pam.d/sudo, and will add it if not !

Just like he indicates it on his README :

## How to use this

1. Download sudo-via-touch-id.sh
2. Make it executable: `chmod 755 sudo-via-touch-id.sh`
3. Run it: `./sudo-via-touch-id.sh`
4. (Optional But Useful) move it to a directory such as `/usr/local/bin/` 
so you can run it again next time there's an update to macOS.

After i installed this script in my /usr/local/bin/, i edited my crontab to run the script each time my laptop is rebooted.

Like this :

@reboot    bash /usr/local/bin/sudo-via-touch-id.sh

With this, on each reboot the script will run, and add the missing line to the /etc/pam.d/sudoif update deleted it !