How to allow Touch ID to authenticate for Sudo commands on Mac

Thamaraiselvam - Nov 2 '19 - - Dev Community

To enable TouchID on your Mac to authenticate you for sudo access instead of a password you need to do the following steps.

  • Open Sudo configuration file with the following command

sudo vi /etc/pam.d/sudo

Initially file content should look like this

# sudo: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
Enter fullscreen mode Exit fullscreen mode
  • Paste auth sufficient pam_tid.so on line 2 of the document (underneath the initial comment line)

After pasting contents should be like this

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
Enter fullscreen mode Exit fullscreen mode
  • Save the file (Since this file is read-only, you may be required to do force save, Eg vim will require you to use wq! when saving)

  • Now try to use sudo command on terminal and you should be prompted to authenticate with Touch ID as shown below

Screenshot 2019-11-02 at 1.13.51 PM.png

  • If you click 'Cancel' you can just enter your password at the terminal prompt if you click 'Use Password' you can enter your password in the dialog box.

  • If you SSH into your machine it will fall back to just use your password since you can't send your TouchID fingerprints over SSH

  • If you're using iTerm2 (v3.2.8+) you may have seen Touch ID failing to work with sudo in the terminal despite having made the pam_tid.so modification as above, and it works in previous versions. This is down to an advanced feature that seems to be now enabled by default - this needs to be turned off here: iTerm2->Preferences > Advanced > (Goto the Session heading) > Allow sessions to survive logging out and back in.

Screenshot 2019-11-02 at 1.17.56 PM.png

Reference: https://apple.stackexchange.com/questions/259093/can-touch-id-for-the-mac-touch-bar-authenticate-sudo-users-and-admin-privileges

. . . . . . . . . . . . . . .