How to Enable Touch ID for sudo on macOS Sonoma (14.x) and Beyond

Are you tired of typing long passwords multiple times per day in the macOS Terminal? Well, there's a better way! Read on, friend.

Integrating Touch ID for sudo commands enhances both security and efficiency on macOS. This guide provides a streamlined method for macOS Sonoma (14.x) and later users, ensuring persistence across system updates and a nod to those who've contributed to simplifying this process.

Aren't you tired of typing complex passwords in Terminal?

Acknowledgment

We've drawn inspiration and guidance from a script by Rich Trouton, found on his GitHub repository. A special thanks to Rich for his contributions to the macOS community. View the original script here.

For further details on Touch ID and its capabilities on your Mac, visit Apple Support.

Prerequisites

  • An Apple Silicon Mac with Touch ID. (TouchID must be enabled!)

  • macOS Sonoma (14.x) or newer.

  • Administrative privileges.

Step-by-Step Guide

Backup and Update the sudo_local File

The process involves backing up any existing sudo_local configuration and then updating it to enable Touch ID authentication for sudo commands, ensuring your custom settings remain effective even after macOS updates.

Automate the Configuration

An automated script would handle the setup smoothly by:

  • Verifying macOS version compatibility.

  • Backing up the current sudo_local file, if it exists.

  • Copying the sudo_local.template to sudo_local and activating Touch ID authentication.

Manual Configuration Steps

If you're manually configuring or wish to understand the internals, follow these steps:

  1. Open Terminal: Found in Applications > Utilities.

  2. Backup Existing sudo_local: If it exists, rename it for backup:

    sudo mv /etc/pam.d/sudo_local /etc/pam.d/sudo_local_$(date "+%s").bak

  3. Activate Touch ID Authentication:

    Copy the template and enable Touch ID:

    sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
sudo sed -i '' -e 's,#auth       sufficient     pam_tid.so,auth       sufficient     pam_tid.so,g' /etc/pam.d/sudo_local

  4. Set Correct Permissions:

    Ensure the file ownership and permissions are correct:

    sudo chown root:wheel /etc/pam.d/sudo_local
sudo chmod 555 /etc/pam.d/sudo_local

Test the Configuration

To verify Touch ID for sudo is operational:

sudo whoami

This command should prompt for Touch ID instead of a password. If correctly set up, it will return root, indicating successful superuser access through Touch ID.

This is what success looks like!

Conclusion

By following this guide, macOS Sonoma users can enjoy the enhanced security and convenience of Touch ID for sudo commands, with a setup that endures through system updates. This method, inspired by Rich Trouton's script, demonstrates the macOS community's dedication to improving user experience.

Elevate your macOS security in our next blog post, where we explore using YubiKey as a PIV card for login and terminal access. Learn how to boost your system's defenses with YubiKey—a must-read for enhancing digital security seamlessly on macOS.

PreviousChoosing the Right GnuPG Key Type: A Guide to Secure EncryptionNextEnhance Your macOS Security with YubiKey as a PIV Card for Login and Terminal Access

Last updated

Was this helpful?