In the vast and ever-evolving world of macOS, the highly anticipated release of macOS Sonoma (macOS 14) marked a monumental shift in the way users can enhance the security of their systems by enabling Touch ID authentication for sudo commands.
This post seeks to serve as a detailed guide on the step-by-step process of setting up Touch ID for sudo on both pre-Sonoma versions of macOS as well as the Sonoma (and subsequent) versions. By carefully following the instructions outlined in this post, you can start to leverage the power of Touch ID and take your macOS experience to new heights of convenience and security.
⚠️ Modifying PAM configurations can make your system unusable if done incorrectly. Proceed with caution.
Before macOS Sonoma (Pre-macOS 14)
Prior to macOS Sonoma, enabling Touch ID for sudo required modifications to the
/etc/pam.d/sudo file. Here's how you could set it up:
Launch the Terminal application on your Mac.
Edit sudo configuration:
Use a text editor to open the
/etc/pam.d/sudofile. For instance, you can use nano:
sudo nano /etc/pam.d/sudo
Add Touch ID rule:
At the top of the file, add the following line:
auth sufficient pam_tid.so
Save and close:
Save the file and close the editor. In nano, you'd press
Ctrl + X, then
Yto confirm, and
Now, when you use the
sudocommand in Terminal, you should be prompted for a fingerprint scan instead of a password.
🔔 Note: This file will be overwritten after EVERY macOS update, even for minor system updates. Therefore, you need to redo the instructions in order to use this functionality. It is important to keep this in mind and ensure that you follow the steps again after each macOS update to maintain the Touch ID authentication for sudo.
macOS Sonoma (macOS 14) and Later
Good news! With macOS Sonoma, Apple introduced a new file,
/etc/pam.d/sudo_local, allowing users to retain their Touch ID sudo configurations across system updates. Here's how to set it up:
Check for sudo_local.template:
macOS Sonoma should come with a template file named
sudo_local.template. Ensure it exists:
Create sudo_local from the template:
sudo_local.templateexists, copy it to create
sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
Edit sudo_local configuration:
sudo_localin a text editor, for example:
sudo nano /etc/pam.d/sudo_local
Uncomment Touch ID rule:
Uncomment the Touch ID rule by removing the
#at the beginning of the line:
#auth sufficient pam_tid.so
auth sufficient pam_tid.so
Save, close, and test:
Save the file, close the editor, and test your configuration by using the
sudocommand in Terminal.
The final file based on the template with our modifications should look like this:
# sudo_local: local config file which survives system update and is included for sudo # uncomment following line to enable Touch ID for sudo auth sufficient pam_tid.so
By following these simple steps, you can easily enable Touch ID authentication for sudo on any version of macOS, thus providing users with a smooth and highly secure experience. This feature allows users to conveniently and securely authenticate themselves using their fingerprint, adding an extra layer of protection to their system. With Touch ID authentication for sudo, users can enjoy a seamless and hassle-free authentication process while ensuring the utmost security for their sensitive information.
⚠️ Please note: it's essential to remember that modifying PAM configurations is a sensitive operation and should be performed with caution. Always ensure you understand each step and command and have backups of your system before running those!