TouchID is a great advancement in the local security of Apple’s Mac Book tier of devices. One of the great things this allows is for securing of sudo commands prompting for TouchID validation instead of a password. Personally, this is a huge win since it helps prevent accidental types in the wrong input. Luckily, this change is very precise modification to the /etc/pam.d/sudo's file.
Before the change, /etc/pam.d/sudo will look like this:$ sudo cat /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
The line we will be adding is:auth sufficient pam_tid.so [success=done new_authtok_reqd=done auth_err=ignore default=ignore]
After adding in our line, the contents of the file will look like:$ sudo cat /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_tid.so [success=done new_authtok_reqd=done auth_err=ignore default=ignore]
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
This allows sudo to authorize access in the event a successful fingerprint scan has been performed, or continue down the stack to password auth if it fails.
NOTE: If you’re having issues with this working in iTerm 2+, you need to disabled “Prefs > Advanced > Allow sessions to survive logging out and back in”.
Member discussion