Skip to content
Eon-Labs KB

macOS Touch ID for

Source: Notion | Last edited: 2024-09-07 | ID: e3e4bca3-e8d...

This tutorial is designed to guide you through enabling and verifying Touch ID for sudo commands on macOS, ensuring a more convenient and secure system setup. The tutorial follows the 5W1H principle to provide a comprehensive understanding.

What:

Section titled “What:”

You will configure your macOS system to use Touch ID for authorizing sudo commands. This allows you to authenticate using your fingerprint instead of typing a password each time you need elevated privileges.

Why:

Section titled “Why:”

Touch ID for sudo provides a faster and more secure method of authentication. It eliminates the need to repeatedly enter your password, streamlining your workflow.

Who:

Section titled “Who:”

This tutorial is intended for macOS users who have a MacBook with a Touch ID sensor and are familiar with using Terminal for system configurations.

Where:

Section titled “Where:”

The configuration involves modifying system files, specifically in the /etc/pam.d/ directory. The changes are applied at the OS level and affect all sudo operations executed through Terminal.

When:

Section titled “When:”

You can enable this feature at any time, especially after a macOS update, as macOS updates may overwrite the configuration. With macOS Sonoma (and later), you can ensure the configuration persists across updates by utilizing the sudo_local file.

How:

Section titled “How:”
  1. Verify if Touch ID is Enabled for sudo: To check if Touch ID is already enabled, open Terminal and run:
Terminal window
grep "pam_tid.so" /etc/pam.d/sudo
grep "pam_tid.so" /etc/pam.d/sudo_local

If either of these commands returns a line with auth sufficient pam_tid.so, Touch ID is enabled for sudo.

  1. Enable Touch ID for sudo: If Touch ID is not enabled, follow these steps:
  • Open Terminal and navigate to the /etc/pam.d/ directory:
Terminal window
cd /etc/pam.d
  • Check if the sudo_local.template file exists (for macOS Sonoma and later):
Terminal window
ls sudo_local.template
  • If it exists, create the sudo_local file:
Terminal window
sudo cp sudo_local.template sudo_local
  • Edit the sudo_local file to uncomment the pam_tid.so line:
Terminal window
sudo nano /etc/pam.d/sudo_local
  • Ensure the line auth sufficient pam_tid.so is uncommented and save the file.
  1. Test the Configuration: Open a new Terminal session and run any sudo command, such as:
Terminal window
sudo ls /var/root

If Touch ID is enabled, you will be prompted to use your fingerprint for authentication.

  1. Automate the Check with a Script: To easily check if Touch ID is enabled in the future, you can use this script:
Terminal window
if grep -q "pam_tid.so" /etc/pam.d/sudo*; then echo "Touch ID for sudo is enabled"; else echo "Touch ID for sudo is not enabled"; fi

Example in Action:

Section titled “Example in Action:”

Once configured, every time you run a command requiring sudo, you can simply place your finger on the Touch ID sensor instead of entering your password, improving both security and convenience.

Final Thoughts:

Section titled “Final Thoughts:”

By setting up Touch ID for sudo on macOS, you streamline your workflow and add an additional layer of security. Make sure to re-enable this configuration after system updates to maintain functionality.