Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

End users aren't your enemy! Kolide gets users to fix their own device compliance problems–and unsecure devices can't log in. Click here to learn how.

By Dan Moren

August 18, 2023 5:33 AM PT

In macOS Sonoma, Touch ID for sudo can survive updates

One of the great things about having a Mac with built-in biometric authentication is not having to constantly type in your password. It’s particularly nice for those of us that work in Terminal, where you can set up Touch ID to authenticate the sudo command that bestows administrative powers.

However there’s been one drawback to enabling that feature: because it means altering a system file, the change wouldn’t generally survive a system update—the file would get overwritten by the stock file every time macOS released a new version, meaning you’d have to go in and make the change again. I’m probably not alone in having given up on having Touch ID enabled, rather than playing the constant cat-and-mouse game.

But wait, there’s good news: in macOS Sonoma, Apple appears to have provided a new framework to work around this problem. As Mastodon user Rachel pointed out, Sonoma allows for an additional file that will persist through updates. So you can make the change once and it should stick.

From what I can tell, this system was put in place precisely for this feature. Apple provides a sudo_local.template file as an example, which not only contains a comment explaining that sudo_local will survive updates, but also even includes the code necessary to enable Touch ID.

So, without further adieu, here are the steps for enabling this feature in macOS Sonoma, once and for all:1

Open the Terminal app. Navigate to the directory that stores the authentication files by typing the following:

cd /etc/pam.d

Next, copy Apple’s provided template to the actual file that the system will read. You’ll need to use sudo and enter your administrator password to get permission:

sudo cp sudo_local.template sudo_local

Finally, open up the file you just made using your text editor of choice; I prefer pico.2 You’ll need to use sudo again here.

sudo pico sudo_local

In that file, navigate to the line that contains with pam_tid.so and delete the hashtag (#) at the beginning. Save the file out by pressing Control-X, typing ‘Y’ to save your changes, and hitting Return.

That’s it; you’re done! We’ll have to wait and see if this truly works as described, but fingers crossed you should be able to keep Touch ID access for sudo for ever and ever.

  1. With the caveat that Sonoma is, of course, still in beta, and this could change upon the official release, as unlikely as that seems. 
  2. Miss me with your command-line text editor wars. 

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @dmoren@zeppelin.flights or reach him by email at dan@sixcolors.com. His latest novel, the supernatural detective story All Souls Lost, is now available for pre-order.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors

Six Colors® is copyright © 2023 by The Incomparable Inc.
Powered by WordPress | Hosted by Pressable