Using TouchID for sudo on macOS Sierra
A couple of days ago, I’ve received my new 15″ Mac Book Pro. So far I’m quite happy. Ok the the circumstance, that I have to carry around a bunch of adapters. I’m waiting for the first projector at customers with USB-C connection. But thats an other story. Initially I thought, that I will not use the new Touch Bar that much. But I must admit that it’s quite handy from time to time. In particular the Touch ID to unlock the Mac Book Pro.
During my day to day work, I’m using the terminal quite a lot. This also includes the use of sudo. Why not using the Touch ID, to run a privileged command with sudo rather than typing the password. Good idea, unfortunately this is not possible out of the box in macOS Sierra. A Google search has revealed two possible solutions respectively projects on GitHub.Replace the sudo with a customised version of sudo, which does support Touch ID (see sudo-touchid Add a customised PAM module, which does support the Touch ID (see pam_touchid
I have decided to test the custom PAM module, because it seems, that this alternative has less impact on the operating system. The configuration is straight forward and includes the following steps:Build the project using Xcode Copy the PAM module to a custom location Update the sudo configuration
As mentioned in a comments on GitHub, sudo over ssh does not work with this PAM module (see pam_touchid appears to break sudo over SSH ) pam_touchid.m requires a small modification. In particular the following if statement has to be added at the top of the method pam_sm_authenticate.if (getenv("SSH_TTY")) return PAM_IGNORE;
In case of a sudo authentication request over SSH the module will do nothing. Sudo will fall back to the regular PAM modules. So lets start Xcode to adjust pam_touchid.m and build pam_touchid.so.2 .
Create a custom directory for the PAM module, copy pam_touchid.so.2 and adjust the owner and privileges.sudo mkdir -p /usr/local/lib/pam/ sudo cp pam_touchid.so.2 /usr/local/lib/pam/ sudo chown root:wheel /usr/local/lib/pam/pam_touchid.so.2 sudo chmod 444 /usr/local/lib/pam/pam_touchid.so.2
Update the sudo configuration and add auth sufficient pam_touchid.so reason="execute a command as another user" to the top of the file.sudo vi /etc/pam.d/sudo cat /etc/pam.d/sudo # sudo: auth account password session auth sufficient pam_touchid.so reason="execute a command as another user" auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so
As soon as you start a new terminal session, you can use your Touch ID to authenticate sudo. Below you see an example of sudo hostname to get the current hostname.
As mentioned in the realm of the PAM Touch ID project, you have to be sure what your doing. If it is the first time you use Xcode and Terminal, it is probably better to not change your sudo authentication.
Thanks to Hamza Sood for this PAM module.
本文系统（linux）相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统