Sudo With Touch ID

calendarJan 20, 2022 · 2 min read · mac  ·
Share on: linkedincopy

Security and convenience are not best of the friends. Good password/pin practices are not convenience (long, different for each system, random). Biometric authentication is somewhat a good compromise.

Logging into your machine is a very repetitive task. I do it enough time is a day to be annoyed of long passwords. Additionally, I work a lot on command line so I do find myself running commands with sudo a lot. Here is something that help me reduce some annoyance out of these.

You can setup your mac (may be other fingerprint enabled linux system) to use fingerprint based authentication. Most Mac users use this for login purpose. But till today I did not think about using fingerprint for sudo commands. After a quick search I stumbled on the original port on iMore.

Original Post https://www.imore.com/how-use-sudo-your-mac-touch-id

Alternative Method 1: Via vi

If you are like me, and prefer using Terminal and vi, here is the method

  1. Open /private/etc/pam.d/sudo in vi

    1sudo vi /private/etc/pam.d/sudo

  2. Goto line 2 and start a new line (2Go - [2] + [Shift + G] + [o])

  3. Paste this line

    1auth sufficient pam_tid.so

  4. Exit edit mode - [Esc]

  5. Save and quit (:wq! - [:] +[w] + [q] + [!] + [Enter])

Alternative Method 2: One Liner

Just run this command

1sudo sed -ie '1 a\
2auth       sufficient     pam_tid.so
3' /private/etc/pam.d/sudo

Or this if you have gnu-sed on your mac

1sudo gsed -i '1 a auth       sufficient     pam_tid.so' /private/etc/pam.d/sudo

But Why

Its very common for enterprises to sync local password with your IDP (Example: Okta). I use a very long and different (for every system) passwords. I can get away with the hassle by using a password manager. My personal favorite is Safe In Cloud.

So, there is no way I can type it over and over again, every time I lock my machine or run commands with sudo. Additionally, I didn't want to put NOPASSWD in sudoers config. I find that risky, as I run all sorts of random scripts on my machine. So, using TouchID instead of password seems like a safe thing.

I have also used the PIV function of Yubikey for PIN based login, instead of password. That works too. But since I do find myself in public places with really smart people, giving away PIN is a big possibility. So, biometric lock seems safer.

comments powered by Disqus