Using Touch ID for sudo in macOS Sonoma

February 8, 2024

I just upgraded to macOS Sonoma and realised that once again my ability to use Touch ID for sudo had been overwritten by the upgrade. The solution to this in the past was to add this line to the top of /etc/pam.d/sudo:

auth   sufficient  pam_tid.so  # enables touch id auth for sudo

But in macOS Sonoma I noticed a new line at the top of the file:

# sudo: auth account password session
auth       include        sudo_local               <- This line is new!
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

When poking around in /etc/pam.d/ I saw a new template file:

ls -lah /etc/pam.d/sudo*
-rw-r--r--@ 1 root  wheel   283B  8 Feb 11:40 /etc/pam.d/sudo
-r--r--r--  1 root  wheel   179B 12 Jan 07:19 /etc/pam.d/sudo_local.template

Looking into that file, I see this:

cat /etc/pam.d/sudo_local.template
# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
#auth       sufficient     pam_tid.so

So maybe If I copy this file and uncomment this line I'll be able to use Touch ID again? Lets try it.

sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
sudo vim /etc/pam.d/sudo_local # uncomment the line, then remember to exit vim with `:wq!`

Your file should now look like this:

cat /etc/pam.d/sudo_local
# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       sufficient     pam_tid.so

And now if you try and use sudo it should prompt you for your fingerprint! Lets hope this is a more persistent way of turning this on going forward, and it doesn't get clobbered the next time I update.