Skip to content

Instantly share code, notes, and snippets.

@fraune

fraune/touch_id_sudo.sh

Last active December 27, 2023 05:49
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fraune/0831edc01fa89f46ce43b8bbc3761ac7 to your computer and use it in GitHub Desktop.
Save fraune/0831edc01fa89f46ce43b8bbc3761ac7 to your computer and use it in GitHub Desktop.
Download ZIP
Enable a Macbook's Touch ID to authorize the `sudo` command in MacOS Terminal
Raw
touch_id_sudo.sh
sudo grep -q -F 'auth sufficient pam_tid.so' /etc/pam.d/sudo || sudo sed -i '' '2i\
auth sufficient pam_tid.so
' /etc/pam.d/sudo
@fraune
Copy link
Author

fraune commented Feb 17, 2023
edited

To use

  • Dump all three lines into your terminal. When you hit enter, you will be prompted for your sudo password (for the last time 😉).

Notes

  • This command will not change anything if the permission already exists.
  • You can verify the permission was added by checking the first non-comment line of /etc/pam.d/sudo has the text auth sufficient pam_tid.so.
  • You can undo the work this script does by manually removing auth sufficient pam_tid.so from /etc/pam.d/sudo.

@JorgeGarciaEnki
Copy link

Hi,

This only works for some time, If you get updates you have to apply again. Is there a way to make it permanently?

Thanks.

@fraune
Copy link
Author

fraune commented Feb 28, 2023
edited

@JorgeGarciaEnki I'm glad you asked!

The tricky part is that the sudo file needs your password to be edited. My solution was to check if the permission is set at shell login, and request your password to add the permission if not.

I came up with the following block of code. You should add it to your ~/.zshrc file.

if grep -q 'auth sufficient pam_tid.so' /etc/pam.d/sudo; then
  echo "Touch ID is enabled for sudo"
else
  read "response?Touch ID is not enabled for sudo. Would you like to enable it now? [y/n]: "
  if [[ "$response" == [yY] ]]; then
    sudo grep -q -F 'auth sufficient pam_tid.so' /etc/pam.d/sudo || sudo sed -i '' '2i\
auth sufficient pam_tid.so
    ' /etc/pam.d/sudo
    if grep -q 'auth sufficient pam_tid.so' /etc/pam.d/sudo; then
      echo "'auth sufficient pam_tid.so' added to /etc/pam.d/sudo"
    fi
  else
    echo "No modifications were made to /etc/pam.d/sudo"
  fi
fi

Some final notes:

  • I have only tested this with zsh
  • auth sufficient pam_tid.so should be the first permission in the list on your /etc/pam.d/sudo file. If it's not, your password will still be prompted by the terminal.
  • If the permission doesn't work right away, try doing a full restart of your Mac

@JorgeGarciaEnki
Copy link

Great, thanks!

@fatso83
Copy link

fatso83 commented Jun 15, 2023

If anyone wants to get this running in bash, try changing the read prompt:

  read -p "Touch ID is not enabled for sudo. Would you like to enable it now? [y/n]: " response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment