/sudo-touchid

 Permanent TouchID & Apple Watch support 👆 for `sudo`.

Primary LanguageShellEclipse Public License 2.0EPL-2.0

Icon

sudo-touchid

Downloads

Native and reliable TouchID support for sudo
Forked to use the pam_watchid package by msanders (see below)

Try it out     without installing

curl -sL git.io/sudo-touch-id | sh

Now sudo is great, just like Safari — with your fingerprint in Terminal or whatever you're on.

Don't worry, you can also reverse it without installing

Please note: without full installation, TouchID for sudo will be disabled after the next macOS update.

Result:

Preview

Just type git.io/sudotouchid to go here.

Features

  • Fast
  • Reliable
  • Written in Bash — no dependencies!
  • Include it to your automated system build — always working and up to date with major macOS upgrades!

Changes made

  • Uses pam_watchid to allow for Apple Watch authentication when in clamshell mode
  • By default the pam_watchid module is placed into /usr/local/lib/pam/pam_watchid.so.2

Install

Via 🍺 Homebrew (Recommended)

brew install desousak/tap/sudo-touchid
sudo brew services start sudo-touchid

Check out the formula if you're interested

Using curl

curl -sL git.io/sudo-touchid | sh

curl is pre-installed in macOS

Performs automated "manual" installation.


The installation process:

  1. Makes the sudo-touchid command available.
  2. Makes it auto-run on every system launch (using a simple launchd daemon with RunAtLoad key set to true), so that when a macOS update erases our custom sudo configuration, sudo-touchid fixes it again.

Usage

sudo-touchid [options]
           # Running without options adds TouchID parameter to sudo configuration
             [-v,  --version]   # Output installed version
           # Commands:
             [-d,  --disable]   # Removes TouchID from sudo config

if not installed, can be used via curl bundled with macOS

sh <( curl -sL git.io/sudo-touch-id ) [options]
                                    # Reliability — check :)
                                      [-d,  --disable]   # Removes TouchID from sudo config

Why?

  1. Productivity

    macOS updates do reset /etc/pam.d/sudo, so previously users had to manually edit the file after each upgrade.

    This tool was born to automate the process, allowing for TouchID sudo auth to be quickly enabled on a new/clean system.

  2. Spreading the technology.

    I bet half of you didn't know.

    It was there for a long time.

  3. Lightness

    The script is small, doesn't need any builds, doesn't need XCode.

    Code size comparison — previously favoured solution VS. the one you're currently reading:


How does it work?

sudo-touchid.sh — the script:

  • Adds auth sufficient pam_tid.so (for touch-id) and auth sufficient pam_watchid.so (for apple watch) to the top of /etc/pam.d/sudo file following @cabel's advice

  • Creates a backup file named sudo.bak.

  • Has a --disable (-d) option that performs the opposite of the steps above.

Non-Homebrew files:

com.user.sudo-touchid.plist — the property list (global daemon):

  • Runs sudo-touchid.sh on system reload

    Needed because any following macOS updates just wipe out our custom sudo.

install.sh — the installer:

  • Saves sudo-touchid.sh as /usr/local/bin/sudo-touchid and gives it the permission to execute.

    (yes, that also means you're able to run sudo-touchid from Terminal)

  • Saves com.user.sudo-touchid.plist to /Library/LaunchDaemons/ so that it's running on boot (requires root permission).


Manual installation

  1. Generally follow the steps provided by the installer in "Non-Homebrew files"
  2. If you need to, store sudo-touchid.sh anywhere else and replace /usr/local/bin in com.user.sudo-touchid.plist with the chosen path.

Contributing

PRs and Issues are much welcome!

If you don't like something — change it or inform the ones willing to help.


Related

Disabling password prompt for sudo

  • Change %admin ALL=(ALL) ALL to %admin ALL=(ALL) NOPASSWD: ALL in /etc/sudoers

TouchID support in tmux