Since the release of macOS High Sierra, it has been possible to enable Touch ID authentication for the sudo tool. However, the necessary modifications needed to be re-applied after every update to macOS because the modified file would get overwritten with the OS’s default values each time macOS was updated.
As of macOS Sonoma though, this modification can now be persistent. Apple included the following note as part of the the What’s new for enterprise in macOS Sonoma KBase article:
Touch ID can be allowed for sudo with a configuration that persists across software updates using /etc/pam.d/sudo_local. See /etc/pam.d/sudo_local.template for details.
When examined on macOS Sonoma 14.0.0, the contents of the /etc/pam.d/sudo_local.template file are as shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sudo_local: local config file which survives system update and is included for sudo | |
| # uncomment following line to enable Touch ID for sudo | |
| #auth sufficient pam_tid.so |
Copying the /etc/pam.d/sudo_local.template file to /etc/pam.d/sudo_local and uncommenting the indicated line allows Touch ID to work for authentication to the sudo tool.
To assist with the process of enabling and disabling Touch ID authentication for the sudo tool, I’ve written a couple of scripts. For more details, please see below the jump.
The scripts are available via the link below:
There are two scripts available at the above location:
- enable_touch_id_auth_for_sudo.sh: Enables Touch ID identification for the sudo tool.
- disable_sudo_touch_id_auth.sh: Disables Touch ID identification for the sudo tool.
Both scripts are set to check if they are being run on macOS Sonoma or later, and will exit with a message if they are run on an earlier version of macOS.