How To - Enable Touch ID for sudo on macOS
Enable Touch ID for sudo Commands
By default, macOS requires you to type your password every time you use sudo in the terminal. This guide shows you how to enable Touch ID authentication for sudo commands, allowing you to authenticate with your fingerprint instead.
Configuration Steps
Step 1: Verify PAM Configuration
First, check that your /etc/pam.d/sudo file includes the sudo_local configuration:
1
sudo cat /etc/pam.d/sudo
Your file should include this line near the top:
1
auth include sudo_local
If it doesn’t exist, you’ll need to add it. Here’s what a typical /etc/pam.d/sudo file looks like:
1
2
3
4
5
6
7
# sudo: auth account password session
auth include sudo_local
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
Step 2: Create the sudo_local File
Create or edit the /etc/pam.d/sudo_local file to enable Touch ID:
1
sudo nano /etc/pam.d/sudo_local
Add this single line to enable Touch ID authentication:
1
auth sufficient pam_tid.so
Save and exit (Ctrl+O, Enter, Ctrl+X in nano).
Step 3: Set Correct Permissions
Ensure the file has the correct permissions:
1
sudo chmod 644 /etc/pam.d/sudo_local
Step 4: Test It Out
Open a new terminal window and try a sudo command:
1
sudo ls /
You should now see a Touch ID prompt instead of a password prompt!
Disable Touch ID for sudo
To disable, either delete the file:
1
sudo rm /etc/pam.d/sudo_local
Or comment out the line by adding # at the beginning:
1
sudo nano /etc/pam.d/sudo_local
Change to:
1
# auth sufficient pam_tid.so