One Tip a Week
Posts
One Tip a Week: TouchID for sudo commands

One Tip a Week: TouchID for sudo commands

Nick Taylor
April 07, 2025

This week’s tip of the week is enabling touchID on macOS for sudo commands in the terminal. We can enable this by leveraging Linux Pluggable Authentication Modules (PAM) configuration files.

The steps are pretty straightforward. Run the following

sudo vi /etc/pam.d/sudo

You’ll be prompted for your password. Enter it and then edit the file. Your file will look something like this. All you need to do is add the line auth sufficient pam_tid.so. The most important thing about this though is it needs to be the first entry so TouchID kicks in first, and then you can fallback to password if you want.

# sudo: auth account password session
+ auth       sufficient     pam_tid.so
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Remember that flush DNS alias tip? You can use this with it now.

running a command that requires sudo and you're prompted to authenticate with ToucID instead of a password

That’s it! Short and sweet. Until the next one!