sudo-touchid

Native and reliable TouchID support for sudo

Try it out     ^{_{without installing}}

curl -sL git.io/sudo-touch-id | sh

Now sudo is great, just like Safari — with your fingerprint in Terminal or whatever you're on.

^{Don't worry, you can also reverse it without installing}

Please note: without full installation, TouchID for sudo will be disabled after the next macOS update.

_Result:

_{Just type git.io/sudotouchid to go here.}

Features

• Fast
• Reliable
• Written in Bash — no dependencies!
• Include it to your automated system build — always working and up to date with major macOS upgrades!

Install

Via 🍺 Homebrew (Recommended)

brew install artginzburg/tap/sudo-touchid
sudo brew services start sudo-touchid

Check out the formula if you're interested

Using curl

curl -sL git.io/sudo-touchid | sh

curl is pre-installed in macOS

Performs automated "manual" installation.

The installation process:

1. Makes the sudo-touchid command available.
2. Makes it auto-run on every system launch ^{(using a simple launchd daemon with RunAtLoad key set to true)}, so that when a macOS update erases our custom sudo configuration, sudo-touchid fixes it again.

Usage

sudo-touchid [options]
           # Running without options adds TouchID parameter to sudo configuration
             [-v,  --version]   # Output installed version
           # Commands:
             [-d,  --disable]   # Removes TouchID from sudo config

if not installed, can be used via curl ^{bundled with macOS}

sh <( curl -sL git.io/sudo-touch-id ) [options]
                                    # Reliability — check :)
                                      [-d,  --disable]   # Removes TouchID from sudo config

Why?

1. Productivity

   macOS updates do reset /etc/pam.d/sudo, so previously users had to manually edit the file after each upgrade.

   This tool was born to automate the process, allowing for TouchID sudo auth to be quickly enabled on a new/clean system.

2. Spreading the technology.

   I bet half of you didn't know.

   It was there for a long time.

3. Lightness

   The script is small, doesn't need any builds, doesn't need XCode.

   Code size comparison — previously favoured solution VS. the one you're currently reading:

   

   

How does it work?

sudo-touchid.sh — the script:

• Adds auth sufficient pam_tid.so to the top of /etc/pam.d/sudo file ^{following @cabel's advice}

• Creates a backup file named sudo.bak.

• Has a --disable (-d) option that performs the opposite of the steps above.

_{Non-Homebrew files:}

com.user.sudo-touchid.plist — the property list (global daemon):

• Runs sudo-touchid.sh on system reload

  Needed because any following macOS updates just wipe out our custom sudo.

install.sh — the installer:

• Saves sudo-touchid.sh as /usr/local/bin/sudo-touchid and gives it the permission to execute.

  (yes, that also means you're able to run sudo-touchid from Terminal)

• Saves com.user.sudo-touchid.plist to /Library/LaunchDaemons/ so that it's running on boot (requires root permission).

Manual installation

1. Generally follow the steps provided by the installer in "Non-Homebrew files"
2. If you need to, store sudo-touchid.sh anywhere else and replace /usr/local/bin in com.user.sudo-touchid.plist with the chosen path.

Contributing

PRs and Issues are much welcome!

If you don't like something — change it or inform the ones willing to help.

Related

Disabling password prompt for sudo

• Change %admin ALL=(ALL) ALL to %admin ALL=(ALL) NOPASSWD: ALL in /etc/sudoers

TouchID support in tmux

• Have a look at pam_reattach module

Apple Watch TouchID support

• Have a look at pam_watchid module