-
-
Save marzvrover/61f09a89134127c6e68d34f0c7bd8a90 to your computer and use it in GitHub Desktop.
# Write the new file | |
awk 'NR==2 {print "auth sufficient pam_tid.so"} 1' /etc/pam.d/sudo > /etc/pam.d/sudo.new | |
# Make a backup of the current file | |
cp /etc/pam.d/sudo /etc/pam.d/sudo.bak | |
# Replace the current file with the new file | |
mv /etc/pam.d/sudo.new /etc/pam.d/sudo | |
# If you need to restore the backup and do not have | |
# access to sudo due to the issue. Reboot into recoveryOS | |
# Mount your data volume | |
# Open the terminal and cd to | |
# /Volumes/<data volume>/private/etc/pam.d | |
# mv sudo.bak sudo |
@marzvrover did you ever find any documentation explaining why this is undone during Mac OS X updates?
It is great because say for example you really are in a government high stakes job or whatever, your system sudoers password would not end up being in the keylogger
@stemount I haven't. I found speculation that resetting /etc/pam.d/*
files to stock was related to updating from systems without SIP, but SIP was introduced with OS X 10.11 El Capitan. One would think by now with macOS 11 Big Sur that wouldn't be needed. This should be affecting not just TouchID users, but users of SmartCards and other alternative authentication methods.
One would think by now with macOS 11 Big Sur that wouldn't be needed
One would think Big Sur isn't needed ;-)
I'll bookmark this thread and I'll play with Touch ID and other PAM methods that Big Sur supports on my M1 mini when I'm next out of things to do 💯
Touch ID is great. Unfortunately, the
sudo
command requires you to use your password. You can however modify the/etc/pam.d/sudo
file to fix this. But on subsequent macOS updates, this is undone. Executing this file makes the changes for you.