Using Touch ID for sudo in macOS Sonoma
I just upgraded to macOS Sonoma and realised that once again my ability to use Touch ID for sudo had been overwritten by the upgrade.
The solution to this in the past was to add this line to the top of /etc/pam.d/sudo
:
auth sufficient pam_tid.so # enables touch id auth for sudo
But in macOS Sonoma I noticed a new line at the top of the file:
# sudo: auth account password session
auth include sudo_local <- This line is new!
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
When poking around in /etc/pam.d/
I saw a new template file:
ls -lah /etc/pam.d/sudo*
-rw-r--r--@ 1 root wheel 283B 8 Feb 11:40 /etc/pam.d/sudo
-r--r--r-- 1 root wheel 179B 12 Jan 07:19 /etc/pam.d/sudo_local.template
Looking into that file, I see this:
cat /etc/pam.d/sudo_local.template
# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
#auth sufficient pam_tid.so
So maybe If I copy this file and uncomment this line I'll be able to use Touch ID again? Lets try it.
sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
sudo vim /etc/pam.d/sudo_local # uncomment the line, then remember to exit vim with `:wq!`
Your file should now look like this:
cat /etc/pam.d/sudo_local
# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth sufficient pam_tid.so
And now if you try and use sudo it should prompt you for your fingerprint! Lets hope this is a more persistent way of turning this on going forward, and it doesn't get clobbered the next time I update.