WingNews logo WingNews GitHub [2]
top | item 26302139

Use Touch ID for Sudo on Mac

510 points| syck | 5 years ago |davidwalsh.name | reply

214 comments

order
[+] cprecioso|5 years ago|reply
This is amazing -- but every. single. update. disables it again

Why does the sudo file not persist between updates? This case is quite minor for personal computers, but what about companies that log in with yubikeys or smart cards? Do they have to reconfigure after every update too?

[+] beyondcompute|5 years ago|reply
I’ve just added this to my .bash_profile:

  enable-sudo-touchid() {
    sudo sed -i -e '1s;^;auth       sufficient     pam_tid.so\n;' /etc/pam.d/sudo
  }
But probably automating the check (if the automated checker has the correct permission) would not be that hard.
[+] jeffbee|5 years ago|reply
This is a very macOS problem. Why does it reset every preference on updates? The one that kills me is wake-on-lan, that gets turned back on regardless. Hate!
[+] bitlevel|5 years ago|reply
The article will not allow sudo changes on Big Sur - at least, not without changing permissions of the sudo file first:

  1. sudo -Si
  2. chmod 644 /etc/pam.d/sudo
  3. vi /etc/pam.d/sudo
  4. Add the 'Auth         sufficient        pam_tid.so' line
  5. chmod 444 /etc/pam.d/sudo
  6. ...
  7. Profit!
Very handy tip though, thanks!
[+] cprecioso|5 years ago|reply
I usually just `sudo nano` it, works fine
[+] mega_dingus|5 years ago|reply
Or when using vi, just use :wq!
[+] girishso|5 years ago|reply
Something weird going on, it still asks for password on the command prompt, if I press just Return key then dialog for touch id opens.. after touching it says `Sorry try again` (my touch id works in other places).

On 11.2.1

[+] zaphirplane|5 years ago|reply
I don’t get it, the article shows it in 2 steps why the 5 step verbosity??
[+] philsnow|5 years ago|reply
s/vi/visudo/

visudo will lint the resulting file and (should) reject the change if it would break your system.

[+] Galanwe|5 years ago|reply
As a side note, there's also the wonderful pam_yubiko module that allows you to require touching your yubikey to sudo or login.
[+] tomxor|5 years ago|reply
pam_yubico yes.

You can also use this to secure SSHD on servers by delegating to PAM with keyboard-interactive.

I'm waiting for U2F OpenSSH support to trickle down to stable distros but in the meantime pam_yubico is pretty damn good... not to mention you don't have to worry about terminal support since it relies on the yubikey OTP emulating a keyboard.

[+] sdoering|5 years ago|reply
wow... thanks for that. Didn't know that. Will need to read on that as well...
[+] sammorrowdrums|5 years ago|reply
Yes, use this on my Linux machine. Works seamlessly.
[+] rvz|5 years ago|reply
Very handy. But you can use your Apple Watch for sudo which is even better: [0]

[0] https://github.com/insidegui/pam-watchid

[+] deergomoo|5 years ago|reply
If you have a Touch ID Mac, enabling Touch ID for sudo also enables using an Apple Watch, so you can use either if you like.
[+] gumby|5 years ago|reply
You have to take your fingers off the keyboard for this which is a big distractor, worse than using a mouse.

I use this feature for other touch cases (e.g. unlocking 1Password) but would hate it when in the flow.

Admittedly my password is well wired into my fingers.

[+] dmitriid|5 years ago|reply
I'd love for iPhone and Watch to serve as a second-screen touch id for MacOS. Then I can tuck the laptop (or Mini) away, and not have to type passwords into various systems.
[+] pplante|5 years ago|reply
I agree using your watch is cool. However I think you lose out on the security aspect, an important element that a fingerprint provides all on the same device.
[+] parhamn|5 years ago|reply
This made me realize my usage of sudo has gone down quite a bit. It seems like things mostly get permissions right these days, brew and ports were the main culprits back in the day.
[+] eyelidlessness|5 years ago|reply
I was thinking the same thing. Since I got my MBP16 I think the only times I’ve typed a password at all have been when the Touch ID session expires or whatever it is that requires reauth.
[+] antonio-ramadas|5 years ago|reply
Having the ability to use Touch ID for sudo is handy. I’ve been using it for a while.

Coupled with `expect` I use it to authenticate through SSH (that is the only feasible option I got to connect to hosts I’ve got limited access). I even wrote about it: https://antonio-ramadas.github.io/blog/2020/10/30/ssh-login-...

Here is the gist of it:

  #!/usr/bin/expect
  
  # Connects via SSH to the host passed as argument
  
  set timeout 60
  set server [lindex $argv 0]
  set username <USERNAME>
  set password [exec sudo cat <PATH_TO_YOUR_PASSWORD_FILE>]
  
  spawn ssh $username@$server
  
  expect { 
   "yes/no" { send "yes\r" ; exp_continue }
   "\*?assword" { send "$password\r" }
  }
  
  interact
Edit: Please remove all permissions from the password file with:

  chmod a-rwx <PATH_TO_PASSWORD_FILE>
I’m also assuming you run this script on an environment you control and trust. Be wary of your password.
[+] koffiezet|5 years ago|reply
Use. SSH. Keys.
[+] isatty|5 years ago|reply
Interesting, I hacked a small pam module together 4 years ago for the first generation of touch id enabled macbooks[0] and I wonder if pam_tid.so was always present and I just missed it. D'oh!

[0] https://github.com/spaghetti-/pam-touchid

[+] ctur|5 years ago|reply
Every update requires you to redo this. It's so repetitive that I keep a copy of what I want `/etc/sudo` to look like in my homedir and, whenever I get the prompt for a sudo attempt, I instead sudo to cp the file. Then I go on my way with what I was originally intending.has recently sudo'd.

Rote but effective.

[+] ethanpil|5 years ago|reply
Why not run a script on boot that does the update? Does it need to be in the .bashrc?
[+] zuppy|5 years ago|reply
Does anybody know if there's a solution for keychain password copy too? I have a very complicated vpn password that I change often (so I don't remember it), but each day, when connecting to the vpn, I have to open keychain and type my user password to get the vpn password. I couldn't find a way to use touch id for that.
[+] hannibalhorn|5 years ago|reply
Kinda close - I use Hammerspoon to setup a hotkey that runs security(1) via popen to retrieve and paste passwords into some apps.

    /usr/bin/security find-internet-password -wgs mydomain.com
It requires the keychain to be unlocked, which can be handled with touch ID, and you can have it confirm with a "are you sure" dialog box every time.

If you really wanted to be prompted for a fingerprint basically every time, you could probably use a separate keychain that locks after 1 minute of inactivity.

[+] dylan604|5 years ago|reply
Out of curiousity why do you change a complex password regularly? Is this something your evilCorp policy forces you to do, or something you do out of habit because of something you read on the internet, or even rote habit from something picked up at previous evilCorp policies?
[+] dustinmoris|5 years ago|reply
> Since you expect to be be typing in a command line, moving your finger to touch the key is probably not very efficient.

Why is this not very efficient? Isn't moving my finger to touch the key equivalent to a single key stroke? How is a single key stroke less efficient then many key strokes?

[+] jedimastert|5 years ago|reply
Admittedly I've never used Mac's implementation but I could see a slowdown if it takes longer for the fingerprint to register that it takes to type your password (which is probably the fastest combination of characters you can type)
[+] garettmd|5 years ago|reply
I think it depends a lot on how long your password is, as well.
[+] sigjuice|5 years ago|reply
What type of work or activity on macOS requires sudo repeatedly enough that it needs to be automated in this way? I mainly need sudo for the occasional dmesg or for adjusting routes after activating my VPN for work.
[+] lucideer|5 years ago|reply
Not that I install new software all that often, but macports requires sudo for quite a lot of operations.
[+] nneonneo|5 years ago|reply
I just have a setuid root sudo binary (compiled from sudo-touchid: https://github.com/mattrajca/sudo-touchid) in my home folder ~/bin. This has worked a treat across OS updates, without hacking PAM stuff. It’s extremely convenient and has probably saved me cumulative hours in typing out my long password :)
[+] MatekCopatek|5 years ago|reply
Was pleasantly surprised when Gnome on latest Fedora enabled this out of the box simply because the fingerprint reader on my laptop was supported.
[+] Simplicitas|5 years ago|reply
Author admits 'probably not very efficient', but still a great SHORT article to consider something interesting. Thanks
[+] nindalf|5 years ago|reply
I'm not sure about the "not efficient" part either. My password is 10+ characters, random alphanumeric with special characters. I sometimes mistype it. Whereas I'm yet to make a mistake tapping my finger on the finger print reader.
[+] float4|5 years ago|reply
Touch ID is awesome, but I semi-regularly use the APFS snapshot rollback feature and it erases my finger prints.

Does anyone know why this happens? I was very happy when I found out APFS is CoW but it kind of sucks that restoring an old snapshot apparently erases the secure enclave in my M1 chip.

[+] dkonofalski|5 years ago|reply
More than likely because that's a security risk. If it didn't do this, an attacker could likely roll back your machine to before you had Touch ID set up and then roll it forward again to access your data, now without a Touch ID restriction.
[+] wil421|5 years ago|reply
The system will notice changes and disable certain features. I noticed my Apple Pay stopped working after a restore and there are additional settings that can turn off Apple Pay. Such as allowing boot from an external drive.