touch sudo

2024-03-27

I like Touch ID. I like to Touch ID with sudo. I like to Touch ID with sudo in tmux.

Use with caution

I may or may not have trashed my /etc/pam.d/sudo file a few times getting this right.

So before showing how to use Touch ID with sudo on Mac OS, bonus pro-tip: how to un-bork your sudo file.

copy /etc/pam.d/sudo file to $HOME
edit, make fixes
use Finder, drag-n-drop edited file to /etc/pam.d. This works because Finder does not use the sudo file for privilege escalation.

Finally, here’s how to make Touch ID sudo work.

# gnu cli tools, I'm not an animal
brew install gnu-sed

# enables touch id for sudo
sudo gsed -i '2s/^/auth       sufficient     pam_tid.so\n/' /etc/pam.d/sudo

# only needed if you use tmux.
# You can trash your sudo file if you run this without installing pam-reattach first
brew install pam-reattach
sudo gsed -i "2s|^|auth       optional       $(brew --prefix)/lib/pam/pam_reattach.so\n|" /etc/pam.d/sudo

And because Mac trashes /etc/pam.d/sudo on every OS update, I have this in my ~/.bashrc for easy setup.

function touchsudo {
  grep -q pam_tid /etc/pam.d/sudo || \
    sudo gsed -i '2s|^|auth       sufficient     pam_tid.so\n|' /etc/pam.d/sudo
  grep -q pam_reattach /etc/pam.d/sudo || \
    sudo gsed -i "2s|^|auth       optional       $(brew --prefix)/lib/pam/pam_reattach.so\n|" /etc/pam.d/sudo
}

note on iTerm2

Alacritty is my terminal of choice. But for the popular iTerm2, there is one last obstacle to make Touch ID sudo work.

open iTerm2
Cmd+, to open Preferences
go to the Advanced tab
set Allow sessions to survive logging out and back in to No

Related tags:

MacOS
tmux

email comments to paul@bauer.codes

touch sudo

site menu