Our thinking


Enable Touch ID for authentication in sudo

In getting a new laptop recently, I’m reminded of all the small tweaks and quality-of-life improvements that I end up making. One of them is enabling Touch ID authentication for sudo in the macOS Terminal app.

I’m not sure why Apple don’t enable it by default as everything that’s needed is already there, it just has to be turned on.

To enable it, you need to edit the file that macOS uses for pluggable authentication modules (PAM) for sudo. The main file lives at /etc/pam.d/sudo and it references an include file, sudo_local. By editing the sudo_local file, instead of the main sudo file, this ensures that the changes you’ve made will survive macOS updates that tend to reset/overwrite the main pam.d/sudo file.

cd /etc/pam.d
sudo cp sudo_local.template sudo_local
sudo vi /etc/pam.d/sudo_local

In this file, uncomment the line that starts with auth so it just reads:

auth sufficient pam_tid.so

This adds the Touch ID PAM module as a sufficient means of authentication for sudo.

When you’re done, your pam.d/sudo_local file should look like this (from a clean macOS 15 install). I’ve highlighted the changed line in bold.

# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       sufficient     pam_tid.so

Save and close the file with esc :wq! (you need the ! to overwrite a read-only file) and you’re then ready to use Touch ID for sudo commands.

Be really, really careful when you’re editing this file – if you stuff it up, you may not be able to use sudo at all, meaning you won’t be able to elevate your privileges to edit the file again and fix it.

If you want to play it safe, instead of exiting vi with :wq! you could just write the file with :w! and then, leaving the Terminal window open with the active editor, open a new Terminal window and test sudo functionality. If it works, you can then quit vi in the first Terminal window.

If you didn’t do this, and you’re unable to use sudo, you can use the Finder to go to the /etc/pam.d folder (Press ⇧+⌘+G and type in /etc/pam.d) to delete the sudo_local file. Finder will ask you to authenticate but this doesn’t use the sudo authentication mechanism, so you’ll be able to delete it and then sudo is back to factory defaults.

Leave a Reply