Using TouchID for sudo on macOS

I’m writing this as a note to myself as much as to share with other TouchID-enabled macOS users. sudo on the command-line is incredibly useful: it helps enforce security boundaries by not promoting that you simply run as root, it enforces separation, as you then run with your own account, and finally, it logs actions taken using sudo. These are all great features, but as we strive to create longer passwords and passphrases, this can get cumbersome to type repeatedly. One way to keep all of these security properties, and reduce having to type your password is to use TouchID to authenticate.

To do this, edit the file /etc/pam.d/sudo and add the following line at the top:

auth sufficient pam_tid.so

Save and you’re done. Since the default config of sudo will cache your credentials for 5 minutes, and you probably just used sudo to edit that file, you can evict your credentials with sudo -K to test this. Now use sudo for a command, and you’ll be prompted to allow the command to run by using TouchID. It looks like this:

In my experience, macOS upgrades will often stomp on this file, so be prepared to simply re-add this entry after an OS update.

Updates: after posting this, I had two reports of it not working. After a little troubleshooting, we figured out that they were using iTerm2. The secret is to disable the following iTerm2 preference:

Prefs > Advanced > Allow sessions to survive logging out and back in

(Thanks Kristian and Joel!)

https://twitter.com/mbmedianorge/status/1187116853317046273

https://twitter.com/jpotisch/status/1187485800017125376

I’m also told that enabling this in Catalina lets you Apple Watch people also double-tap the watch to auth:

https://twitter.com/tiredsince1985/status/1187329861486026754