Last October, i got for myself one M1 Macbook pro.
It is a hell of a machine, powerful, silent and it comes with touchID.
I didn't change my laptop since my mid-2012 macbook pro, and this was a revolution !
I saw one day, one of my coworker edit files with
sudo vi, no password typed, just put his finger on touchID pad, I always wanted to do the same, so i configured it.
By default, it is not configured on macos, you have to edit one file :
/etc/pam.d/sudo
In this file, you'll find this content :
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
I just add the line :
auth sufficient pam_tid.soso the file looks like this then :
# sudo: auth account password session
auth sufficient pam_tid.so
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
Bonus
On the day you update your mac, the
/etc/pam.d/sudomay be overwritten by the update process. And your changes will be lost.
(I know it is one line to add to file, but if you are lazy like me, you will understand :D)
One github user, named tjluoma made a little script, named tjluoma/sudo-via-touch-id, that will check if the line is present in your
/etc/pam.d/sudo, and will add it if not !
Just like he indicates it on his README :
## How to use this 1. Download sudo-via-touch-id.sh 2. Make it executable: `chmod 755 sudo-via-touch-id.sh` 3. Run it: `./sudo-via-touch-id.sh` 4. (Optional But Useful) move it to a directory such as `/usr/local/bin/` so you can run it again next time there's an update to macOS.
After i installed this script in my
/usr/local/bin/, i edited my crontab to run the script each time my laptop is rebooted.
Like this :
@reboot bash /usr/local/bin/sudo-via-touch-id.sh
With this, on each reboot the script will run, and add the missing line to the
/etc/pam.d/sudoif update deleted it !