Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo
commands.
Use your favorite text editor and open the file
/etc/pam.d/sudo
and add the following line
auth sufficient pam_tid.so
below the pam_smartcard.so
line as shown below and then save (Ctrl+O for pico
) the file.
$ sudo pico /etc/pam.d/sudo
UW PICO 5.09 File: /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth sufficient pam_tid.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
^G Get Help ^O WriteOut ^R Read File ^Y Prev Pg ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where is ^V Next Pg ^U UnCut Text^T To Spell
File Name to write : /etc/pam.d/sudo
^G Get Help ^T To Files
^C Cancel TAB Complete
[ Wrote 7 lines ]
^G Get Help ^O WriteOut ^R Read File ^Y Prev Pg ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where is ^V Next Pg ^U UnCut Text^T To Spell
That’s it. Now when you open a new Terminal window you can use TouchID to approve sudo commands. If you also have your Apple Watch set to unlock your Mac, you will also be able to approve sudo commands by double-clicking the side button on the watch.
Keep in mind that this file is somewhat protected by macOS so after each OS update you will need to add the line to the file. Other than that, it works perfectly!