Let Touch ID authorize the `sudo` terminal command in macOS 14+

touch_id_sudo.sh

sudo sh -c 'echo "auth sufficient pam_tid.so" > /etc/pam.d/sudo_local'

If anyone wants to get this running in bash, try changing the read prompt:

  read -p "Touch ID is not enabled for sudo. Would you like to enable it now? [y/n]: " response

@jesseduffield

This only works for some time, If you get updates you have to apply again. Is there a way to make it permanently?

Add the line to /etc/pam.d/sudo_local apparently that file survives software updates.

@andrewcrook Thanks for the info. Next time an update comes, I’ll give this a test and update the original post!

At first, I thought the specific file name was baloney, as usually .*d directories are for stuffing whatever in, but after some searching it checks out. In the Apple Business Release notes for Sonoma (HT213893), it specifically says that changes to /etc/pam.d/sudo_local are persistent and that one can look to /etc/pam.d/sudo_local.template for more info. And lo and behold:

❯ cat /etc/pam.d/sudo_local.template
# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
#auth       sufficient     pam_tid.so

Thanks again @andrewcrook and @fatso83

I have found success using sudo_local. I will be updating the original post to reflect this.

The revisions of this gist will still reflect the hack used for older versions of macOS.