How to Use Touch ID to Authenticate sudo on Mac OS
If you have a Touch Bar equipped MacBook Pro and you’re a frequent command line user, you may appreciate a trick that allows you to use Touch ID to authenticate sudo and su, rather than typing out your password in the Terminal like some kind of digital neanderthal.
One notable problem (or trade-off) is that if you use SSH to connect the Mac with this enabled, you won’t be able to use sudo since Touch ID will not transmit. There are mixed reports that may be changed in beta versions of High Sierra however.
Anyway, if you’re an advanced Mac user with a Touch Bar and Touch ID equipped Mac, here’s how you can enable Touch ID support for sudo authentication. This is really not going to be applicable to novice users or those who don’t spend a significant amount of time at the command line authenticating with sudo, and because this involves editing a system file it’s a good idea to backup your Mac before beginning this process.
How to Use Touch ID for sudo on Mac
Back up your Mac before beginning. From the Terminal (of course), you’ll want to edit /etc/pam.d/sudo by adding a new line to it. For our purposes here we’ll use nano but you’re free to use vim or emacs, or even a GUI app if you’re so inclined.
- Open Terminal app if you haven’t done so already, then enter the following command:
- Hit Return and then add the following line to the top:
- Save the edit with Control+O and then exit nano with Control+X
sudo nano /etc/pam.d/sudo
auth sufficient pam_tid.so
Now you’re ready to go, Touch ID will now authenticate sudo rather than having to enter a password at the command line. And yes of course you can still use your password too. Note that some users report needing to reboot or refresh their shell to get this to work.
Now the next time you run sudo or su to use root user or run commands as root, you’re able to authenticate by placing a finger onto Touch ID.
This is undeniably useful for Mac users with Touch ID machines, enough so that it should probably be a dedicated settings option somewhere rather than a command line modification. Another helpful trick is to change the sudo timeout for entering a password, which in this case would mean extending the timeout before having to authenticate with Touch ID again.
This tip comes to us from @cabel on Twitter where it has gained some popularity and was the first I’d heard of it, but it’s worth mentioning that using sudo with Touch ID had been discussed before by HamzaSood on Github and elsewhere on the web through various methods. For those Mac users with Touch ID equipped machines and who spend a lot of time in the Terminal, this may appeal to you, so try it out!
Oh and if you want to reverse this change, simply remove the “auth sufficient pam_tid.so” line from /etc/pam.d/sudo again.