Can Touch ID for the Mac Touch Bar authenticate sudo users and admin privileges?
Question
Does Touch ID for the MacBook Pro Touch Bar support elevating admin privileges in macOS?
Somewhat differently, can the Touch ID give sudo access in Terminal?
I wonder this because I'm considering getting a YubiKey which can do string input to password fields, but Touch ID for Macs may render it unnecessary.
Solution
TouchID does support elevating privileges, but as of now, it only seems to be supported in Apple's own apps. My guess is that 3rd party apps will have to be updated to support it, unfortunately. I still end up typing in my password a lot.
See @conorgriffin's answer for instructions to enable TouchID for sudo.
OTHER TIPS
To allow TouchID on your Mac to authenticate you for sudo
access instead of a password you need to do the following.
Open Terminal
Switch to the root user with
sudo su -
Edit the
/etc/pam.d/sudo
file with a command-line editor such asvim
ornano
The contents of this file should look like one of the following examples:
-
# sudo: auth account password session auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so
-
# sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so
-
You need to add an additional
auth
line to the top so it now looks like this:# sudo: auth account password session auth sufficient pam_tid.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so
Save the file. (Note: this file is normally read-only so saving your changes may require you to force the save, e.g.
vim
will require you to usewq!
when saving)Also note that
pam_smartcard.so
may not be present on older MacOS versions.Exit from the root user or start a new terminal session.
Try to use
sudo
, and you should be prompted to authenticate with TouchID as shown below.If you click 'Cancel,' you can just enter your password at the terminal prompt. If you click 'Use Password' you can enter your password in the dialog box.
If you SSH into your machine it will fall back to just use your password, since you can't send your TouchID fingerprints over SSH.
Note: See answer by user Pierz below if you're using iTerm, as there's a setting you need to explicitly change to enable this feature.
Note:
Recent MacOS updates may remove the entry. If TouchID stops working for sudo
then check if the entry was removed and add it back in, following these instructions again.
If you're using iTerm2 (v3.2.8+) you may have seen Touch ID failing to work with sudo in the terminal despite having made the pam_tid.so
modification as above, and it working in previous versions. This is down to an advanced feature that seems to be now enabled by default - this needs to be turned off here: iTerm2->Preferences > Advanced > (Goto the Session heading) > Allow sessions to survive logging out and back in.
Alternatively you can use this pam_reattach
module to retain the session feature and TouchID sudo at the same time.
You can use fingerprint for getting sudo access in the terminal or iTerm, just add auth sufficient pam_tid.so
to the first line to your /etc/pam.d/sudo
file.
I have created a simple script that enables sudo to use the TouchID PAM module exactly as conorgriffin explains. It does it in a single script that you can copy-paste to a terminal in it's entirety or use the "curl
pipe bash
" shortcut:
curl -sL https://gist.githubusercontent.com/RichardBronosky/31660eb4b0f0ba5e673b9bc3c9148a70/raw/touchid_sudo.sh | bash
#!/bin/bash
# curl -sL https://gist.githubusercontent.com/RichardBronosky/31660eb4b0f0ba5e673b9bc3c9148a70/raw/touchid_sudo.sh | bash
# This script is ready to copy-paste in whole, or just the line above (without the leading #)
# Use TouchID for sudo on modern MacBook Pro machines
# This script adds a single line to the top of the PAM configuration for sudo
# See: https://apple.stackexchange.com/q/259093/41827 for more info.
touchid_sudo(){
sudo bash -eu <<'EOF'
file=/etc/pam.d/sudo
# A backup file will be created with the pattern /etc/pam.d/.sudo.1
# (where 1 is the number of backups, so that rerunning this doesn't make you lose your original)
bak=$(dirname $file)/.$(basename $file).$(echo $(ls $(dirname $file)/{,.}$(basename $file)* | wc -l))
cp $file $bak
awk -v is_done='pam_tid' -v rule='auth sufficient pam_tid.so' '
{
# $1 is the first field
# !~ means "does not match pattern"
if($1 !~ /^#.*/){
line_number_not_counting_comments++
}
# $0 is the whole line
if(line_number_not_counting_comments==1 && $0 !~ is_done){
print rule
}
print
}' > $file < $bak
EOF
}
touchid_sudo
This script demonstrates a few cool patterns that I love to teach people who are new to bash or DevOps.
- Create a backup file that is numbered rather than simply
.bak
on the end. (It looks gnarly, but that pattern works with whatever is in$file
and is reusable. - To make it safe to do
curl ... | bash
, wrap everything in a function and call it on the last line. That way if the download is interrupted, nothing is (partially) done. - Put a call to
sudo bash -eu
in your script so that you don't have tell the user to do it. (-eu
are short for errexit and nounset and you should be using them!) - Single quoting bash heredoc
'EOF'
to prevent premature shell expansion. - Making inline
awk
more readable.
To wrap up Andy and Glenjamin's solution into one play:
---
- hosts: localhost
tasks:
- name: install pam_reattach pam module
homebrew:
name: fabianishere/personal/pam_reattach
state: present
register: reattach_result
- name: detect touch id support
shell: pgrep ControlStrip
ignore_errors: true
register: touch_id_result
- name: enable touch id for sudo commands
lineinfile:
path: /etc/pam.d/sudo
line: 'auth sufficient pam_tid.so'
insertbefore: '^auth sufficient pam_smartcard.so$'
become: yes
when: touch_id_result.rc == 0 and touch_id_result.stdout != ''
- name: enable persistent touch id for tmux and iterm
lineinfile:
path: /etc/pam.d/sudo
line: 'auth optional pam_reattach.so'
insertbefore: '^auth sufficient pam_tid.so$'
become: yes
when: reattach_result == 0
This can be run with just ansible-playbook sudo-touchid.yml
, where sudo-touchid.yml
is what I named this play.
The first step installs Fabian's pam_reattach
, which allows sudo to work in iTerm, tmux, etc. It isn't in the default Homebrew formulae, so we're fetching it from his own repository.
The second checks to see if this Mac has a touchbar; otherwise we're going to bail out.
Third, we're seeing if we already added pam_tid.so
to /etc/pam.d/sudo
, and only if there is a touchbar.
Finally, we also add pam_reattach.so
as an optional
auth method. According to the author, he might have have some unknown bug, and if we used required
it could result in a lockout.
I created the following ansible tasks to enable touch id for sudo commands if your computer supports it:
- name: detect touch id support
shell: pgrep ControlStrip
ignore_errors: true
register: touch_id_result
- name: enable touch id for sudo commands
lineinfile:
path: /etc/pam.d/sudo
line: 'auth sufficient pam_tid.so'
insertbefore: '^auth sufficient pam_smartcard.so$'
become: yes
when: touch_id_result.rc == 0 and touch_id_result.stdout != ''
One thing to mention is that you should first change the file permission then try to make changes:
sudo su -
chmod u+w /etc/pam.d/sudo
Adding this line at first line:
# sudo: auth account password session
auth sufficient pam_tid.so # << Add this here ;)
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
Then revert it back file permissions when you are done with:
chmod u-w /etc/pam.d/sudo