Native and reliable TouchID support for sudo
Forked to use the pam_watchid package by msanders
(see below)
curl -sL git.io/sudo-touch-id | sh
Now sudo is great, just like Safari — with your fingerprint in Terminal or whatever you're on.
Don't worry, you can also reverse it without installing
Please note: without full installation, TouchID for
sudo
will be disabled after the next macOS update.
- Fast
- Reliable
- Written in Bash — no dependencies!
- Include it to your automated system build — always working and up to date with major macOS upgrades!
- Uses pam_watchid to allow for Apple Watch authentication when in clamshell mode
- By default the
pam_watchid
module is placed into/usr/local/lib/pam/pam_watchid.so.2
Via 🍺 Homebrew (Recommended)
brew install desousak/tap/sudo-touchid
sudo brew services start sudo-touchid
Check out the formula if you're interested
Using curl
curl -sL git.io/sudo-touchid | sh
curl
is pre-installed in macOS
Performs automated "manual" installation.
The installation process:
- Makes the
sudo-touchid
command available. - Makes it auto-run on every system launch (using a simple
launchd
daemon with RunAtLoad key set to true), so that when a macOS update erases our customsudo
configuration,sudo-touchid
fixes it again.
sudo-touchid [options]
# Running without options adds TouchID parameter to sudo configuration
[-v, --version] # Output installed version
# Commands:
[-d, --disable] # Removes TouchID from sudo config
if not installed, can be used via curl
bundled with macOS
sh <( curl -sL git.io/sudo-touch-id ) [options]
# Reliability — check :)
[-d, --disable] # Removes TouchID from sudo config
-
Productivity
macOS updates do reset
/etc/pam.d/sudo
, so previously users had to manually edit the file after each upgrade.This tool was born to automate the process, allowing for TouchID sudo auth to be quickly enabled on a new/clean system.
-
Spreading the technology.
I bet half of you didn't know.
It was there for a long time.
-
Lightness
The script is small, doesn't need any builds, doesn't need XCode.
-
Adds
auth sufficient pam_tid.so
(for touch-id) andauth sufficient pam_watchid.so
(for apple watch) to the top of/etc/pam.d/sudo
file following @cabel's advice -
Creates a backup file named
sudo.bak
. -
Has a
--disable
(-d
) option that performs the opposite of the steps above.
Non-Homebrew files:
-
Runs
sudo-touchid.sh
on system reloadNeeded because any following macOS updates just wipe out our custom
sudo
.
-
Saves
sudo-touchid.sh
as/usr/local/bin/sudo-touchid
and gives it the permission to execute.(yes, that also means you're able to run
sudo-touchid
from Terminal) -
Saves
com.user.sudo-touchid.plist
to/Library/LaunchDaemons/
so that it's running on boot (requires root permission).
- Generally follow the steps provided by the installer in "Non-Homebrew files"
- If you need to, store
sudo-touchid.sh
anywhere else and replace/usr/local/bin
incom.user.sudo-touchid.plist
with the chosen path.
If you don't like something — change it or inform the ones willing to help.
- Change
%admin ALL=(ALL) ALL
to%admin ALL=(ALL) NOPASSWD: ALL
in/etc/sudoers
- Have a look at pam_reattach module