How to Use Touch ID to Authenticate sudo on Mac OS

Nov 22, 2017 - 9 Comments

sudo with Touch ID on a Mac

If you have a Touch Bar equipped MacBook Pro and you’re a frequent command line user, you may appreciate a trick that allows you to use Touch ID to authenticate sudo and su, rather than typing out your password in the Terminal like some kind of digital neanderthal.


One notable problem (or trade-off) is that if you use SSH to connect the Mac with this enabled, you won’t be able to use sudo since Touch ID will not transmit. There are mixed reports that may be changed in beta versions of High Sierra however.

Anyway, if you’re an advanced Mac user with a Touch Bar and Touch ID equipped Mac, here’s how you can enable Touch ID support for sudo authentication. This is really not going to be applicable to novice users or those who don’t spend a significant amount of time at the command line authenticating with sudo, and because this involves editing a system file it’s a good idea to backup your Mac before beginning this process.

How to Use Touch ID for sudo on Mac

Back up your Mac before beginning. From the Terminal (of course), you’ll want to edit /etc/pam.d/sudo by adding a new line to it. For our purposes here we’ll use nano but you’re free to use vim or emacs, or even a GUI app if you’re so inclined.

  1. Open Terminal app if you haven’t done so already, then enter the following command:
  2. sudo nano /etc/pam.d/sudo

  3. Hit Return and then add the following line to the top:
  4. auth sufficient pam_tid.so

  5. Save the edit with Control+O and then exit nano with Control+X
  6. Allow Touch ID for sudo authentication on Mac

Now you’re ready to go, Touch ID will now authenticate sudo rather than having to enter a password at the command line. And yes of course you can still use your password too. Note that some users report needing to reboot or refresh their shell to get this to work.

Now the next time you run sudo or su to use root user or run commands as root, you’re able to authenticate by placing a finger onto Touch ID.

sudo with Touch ID on a Mac

This is undeniably useful for Mac users with Touch ID machines, enough so that it should probably be a dedicated settings option somewhere rather than a command line modification. Another helpful trick is to change the sudo timeout for entering a password, which in this case would mean extending the timeout before having to authenticate with Touch ID again.

This tip comes to us from @cabel on Twitter where it has gained some popularity and was the first I’d heard of it, but it’s worth mentioning that using sudo with Touch ID had been discussed before by HamzaSood on Github and elsewhere on the web through various methods. For those Mac users with Touch ID equipped machines and who spend a lot of time in the Terminal, this may appeal to you, so try it out!

Oh and if you want to reverse this change, simply remove the “auth sufficient pam_tid.so” line from /etc/pam.d/sudo again.

.

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS, Tips & Tricks

9 Comments

» Comments RSS Feed

  1. tomatoes says:

    after adding that line exactly as instructed, i now get a GUI dialog with username and password when i try to run sudo command.

  2. adaron says:

    Hello,
    After adding “auth sufficient pam_tid.so” to sudo file, sudo commands work as intended, still the stardard user is not part of sudoers, so I hoped this will also affect $su user_priv lets say. But when I try to change the stardard user to user_priv, touchid does not kick in, is still requiring password. I think changes are needed to /etc/pam.d/su file as well but I am not there yet, can you please help ?

  3. Joe says:

    Sorry but touch id sounds like a security risk to me. Not for your Mac but your identity itself. Better off using a strong password.

  4. Ogles of Kansas says:

    Cool but I would rather have a real keyboard and Face ID I think. I don’t like touch bar.

  5. Howie Isaacks says:

    Darn it. This makes me want a Touch ID equipped MacBook Pro even more. I have a mid-2015 model that works great, does everything I need it to do very fast, but having the ability to use Touch ID on my MacBook Pro would be awesome. I wonder how long it will take for Face ID to happen on Mac. Of course the people who cover up their camera would have to refrain from doing that if they wanted to use Face ID.

    • The Holiday Drama says:

      This is the first time I’ve seen something useful about Touch Bar on a Mac. But while Touch ID for sudo is interesting, I’d personally never give up a good MacBook Pro (2015) with so many great features just to get that capability and all the loss that comes with it.

      The 2015 MacBook Pro is as good as it gets if you ask me, and Marco Arment (founder of Tumblr, prominent Apple writer and pundit) agrees and points out the obvious, calling it the “best laptop ever made” and I would agree with that thoroughly after seeing alternatives.

      https://marco.org/2017/11/14/best-laptop-ever

      The 2018/2016/2017 Touch Bar MacBook Pro keyboard is pretty bad, so much so that there are parody songs about how bad the keyboard is and how easy it screws up from even just dust:

      https://www.youtube.com/watch?v=FdS3tjEIqUA

      And many, many articles online discussing the dreadful keyboard

      https://theoutline.com/post/2402/the-new-macbook-keyboard-is-ruining-my-life

      Or the terrible dongle USB-C situation

      https://marco.org/2017/10/14/impossible-dream-of-usb-c

      https://marco.org/2016/11/02/design-for-the-present

      Also the Touch Bar itself is a mess and often crashes, it’s slow, and makes you look at your keys when you type which is what all of us were taught exactly NOT to do when learning how to type (remember when they put a box over your hands in typing class??). The lack of an escape key or function buttons makes everything slower and more cumbersome to use ESC or even change sound or brightness. Touch ID is iffy, sometimes OK, but sometimes doesn’t work, or sometimes is slower than typing a password.

      Personally I specifically bought a 2015 MacBook Pro rather than a 2017, I like magsafe, the keyboard, escape key, ports, no need for dongles, etc. Cheaper too.

      I hope Apple learns the harsh lesson and abandons the current MacBook Pro and starts from scratch, aiming it at real Pro users. A keyboard should not be an obstacle, and neither should ports, a bag of dongles should not be required, nor trying to figure out how to change brightness or use escape or anything else. That’s my 50 cents.

      • Anne says:

        Good to know this. I have considered a laptop. I’ll wait until my Mac mini becomes nonfunctional.

        I too find Touch ID oversold. It has never, not once, recognized me on the iPhone. iPad was hit and miss.

        My brand new iPad Pro seems somewhat better.

      • The Skeptic says:

        I agree with what you and Marco are saying… yet it’s hard to believe that Apple will abandon a concept that has brought significant sales increases to the Mac line.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site