A couple of days ago, I’ve received my new 15″ Mac Book Pro. So far I’m quite happy. Ok the the circumstance, that I have to carry around a bunch of adapters. I’m waiting for the first projector at customers with USB-C connection. But thats an other story. Initially I thought, that I will not use the new Touch Bar that much. But I must admit that it’s quite handy from time to time. In particular the Touch ID to unlock the Mac Book Pro.
During my day to day work, I’m using the terminal quite a lot. This also includes the use of sudo. Why not using the Touch ID, to run a privileged command with sudo rather than typing the password. Good idea, unfortunately this is not possible out of the box in macOS Sierra. A Google search has revealed two possible solutions respectively projects on GitHub.
- Replace the sudo with a customised version of sudo, which does support Touch ID (see sudo-touchid
- Add a customised PAM module, which does support the Touch ID (see pam_touchid
I have decided to test the custom PAM module, because it seems, that this alternative has less impact on the operating system. The configuration is straight forward and includes the following steps:
- Build the project using Xcode
- Copy the PAM module to a custom location
- Update the sudo configuration
As mentioned in a comments on GitHub, sudo over ssh does not work with this PAM module (see pam_touchid appears to break sudo over SSH)
pam_touchid.m requires a small modification. In particular the following if statement has to be added at the top of the method pam_sm_authenticate.
In case of a sudo authentication request over SSH the module will do nothing. Sudo will fall back to the regular PAM modules. So lets start Xcode to adjust
pam_touchid.m and build
Create a custom directory for the PAM module, copy
pam_touchid.so.2 and adjust the owner and privileges.
sudo mkdir -p /usr/local/lib/pam/
sudo cp pam_touchid.so.2 /usr/local/lib/pam/
sudo chown root:wheel /usr/local/lib/pam/pam_touchid.so.2
sudo chmod 444 /usr/local/lib/pam/pam_touchid.so.2
Update the sudo configuration and add
auth sufficient pam_touchid.so reason="execute a command as another user" to the top of the file.
sudo vi /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_touchid.so reason="execute a command as another user"
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
As soon as you start a new terminal session, you can use your Touch ID to authenticate sudo. Below you see an example of
sudo hostname to get the current hostname.
As mentioned in the realm of the PAM Touch ID project, you have to be sure what your doing. If it is the first time you use Xcode and Terminal, it is probably better to not change your sudo authentication.
Thanks to Hamza Sood for this PAM module.