By Dan Moren
November 19, 2020 6:35 AM PT
Quick Tip: Enable Touch ID for sudo
My new MacBook Air is proving to be all that I’d hoped, and it’s not just because of the fancy new M1 processors. Since I’m coming from a 2014 MacBook, I’m reaping the benefits of all the other advancements Apple has made to its laptop line in the intervening years, and prime among those is the incorporation of Touch ID: I’ve already enabled it for 1Password (what a lifesaver) and, thanks to a tip from Twitter follower Josef, I can bring it to one of my other favorite places: the command line.
Josef pointed out that it’s relatively easy to add Touch ID support for
sudo, the Terminal command that allows you to temporarily grant yourself the powers of the superuser, to do things that no mortal user can do! (Think of it as the command-line equivalent of typing your administrator password in that dialog box that pops up when you want to make a system-level change.)
The good news is that Apple has done most of the heavy lifting here by having built a pluggable authentication module (PAM) for Touch ID; all you need to do is essentially turn it on, which takes just a few simple steps.
First, open up Terminal. Navigate to the directory where the system stores the list of PAMs by typing
cd /etc/pam.d/ and open the
sudo file there in your favorite command-line text editor.1 (You can also always use a GUI editor like BBEdit too.) Note that if you open it via the command-line, you’ll need to use
sudo itself to do so, since the file is (understandably) protected.
Once you’ve opened it, add the following below the first line (you’ll see the headers under which each of the entries goes):
auth sufficient pam_tid.so
That line basically tells the
sudo command that the Touch ID authentication module is sufficient to authorize the user, which is all you need to do.
Save the file and you’re done! Now, the next time you use the
sudo command, instead of being prompted for your password, you’ll get a dialog box asking you to authenticate with Touch ID, just as you would any other time you needed to authenticate. (And, as an extra bonus, if you choose to click the Enter Password, you’ll get prompted to use either the password or your Apple Watch, if you have one.)
I’m going to forestall the
emacsdebate by saying I’m a
nanoguy, don’t @ me. ↩
[Dan Moren is the official Dan of Six Colors. You can find him on Twitter at @dmoren or reach him by email at firstname.lastname@example.org. His latest novel, The Aleph Extraction, is out now and available in fine book stores everywhere, so be sure to pick up a copy.]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.