sudo vim /etc/pam.d/sudo
Add the following line at the beginning:
auth sufficient pam_tid.so
brew install pam-reattach
sudo vim /etc/pam.d/sudo
Add the following at the beginning:
auth optional /opt/homebrew/lib/pam/pam_reattach.so ignore_ssh
Note that using the aforementioned method, you can also use watch to unlock as it approves the touchid while you wear it, so you probaably won’t need the following.
- clone this repo https://github.com/biscuitehh/pam-watchid
- Change DESTINATION to /opt/homebrew/lib/pam
- Change TARGET to arm64-apple-darwin20.1.0
- sudo make install
- Add the following line
auth sufficient /opt/homebrew/lib/pam/pam_watchid.so
Finally your sudo file should look like this:
# sudo: auth account password session
auth optional /opt/homebrew/lib/pam/pam_reattach.so ignore_ssh
auth sufficient /opt/homebrew/lib/pam/pam_watchid.so
auth sufficient pam_tid.so
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so