How to allow Touch ID to authenticate for Sudo commands on Mac

To enable TouchID on your Mac to authenticate you for sudo access instead of a password you need to do the following steps.

• Open Sudo configuration file with the following command

sudo vi /etc/pam.d/sudo

Initially file content should look like this

# sudo: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

• Paste auth sufficient pam_tid.so on line 2 of the document (underneath the initial comment line)

After pasting contents should be like this

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

• Save the file (Since this file is read-only, you may be required to do force save, Eg vim will require you to use wq! when saving)

• Now try to use sudo command on terminal and you should be prompted to authenticate with Touch ID as shown below

• If you click 'Cancel' you can just enter your password at the terminal prompt if you click 'Use Password' you can enter your password in the dialog box.

• If you SSH into your machine it will fall back to just use your password since you can't send your TouchID fingerprints over SSH

• If you're using iTerm2 (v3.2.8+) you may have seen Touch ID failing to work with sudo in the terminal despite having made the pam_tid.so modification as above, and it works in previous versions. This is down to an advanced feature that seems to be now enabled by default - this needs to be turned off here: iTerm2->Preferences > Advanced > (Goto the Session heading) > Allow sessions to survive logging out and back in.

Reference: https://apple.stackexchange.com/questions/259093/can-touch-id-for-the-mac-touch-bar-authenticate-sudo-users-and-admin-privileges

Comments

[Balazs Pocze]

Never ever edit /etc/sudoers with text editor, because if you mess up something you will be locked out. use
sudo visudo
instead. Doesn't allow to save bad config.
It will use your editor set in the $EDITOR environment variable.

cheers!

[Thamaraiselvam]

Thanks for the heads up 👍

[Ben Sinclair]

This is interesting, but :wq! isn't "force save" on vim unless you've made a mapping for it.

[Thamaraiselvam]

! symbol to override action right? I have searched couldn't get source to read, can you please explain what's difference between wq and wq!

[jeikabu]

That's pretty cool. I'm not a fan of the touch bar, but I do like TouchId. Wonder if there's a way to do it without the pop-up....

[Thamaraiselvam]

Usually mac prompt for Finger print isn't? I am wonder how do we know its asks for a finger print authentication without prompt