Add touch ID to "sudo"

I use the terminal a lot. So often enough I use “sudo”. And I have to enter my long, complex password…

So, why not use TouchID?

  • open the file /etc/pam.d/sudo (with admin permissions, either in a text editor that allows to save as admin or with sudo vi /etc/pam.d/sudo)
  • Add the entry auth sufficient as the first line after the comment.
  • Save
  • Done. Next time you want to sudo…unlock with TouchID

I have been doing this for quite a while, after reading this article:

Unfortunately I have to do this again after every OS update (even minor ones).

Does that happen for everyone?

1 Like

It’s a macOS “feature”. :smiley:

This is ridiculously enjoyable! Can’t say that I “needed” it, but fun nonetheless.


1 Like

Waiting for when touch ID gets put into the J or F keys so one doesn’t have to move their hands from the home row to use it :smile:


Yes, it happens for everyone. Updates overwrite the file. TJ Luoma has a longer discussion of it and wrote a script that makes the changes.

There can be a permissions change to the file, depending on how you edit it. /etc/pam.d/sudo is owned by user root and group wheel. By default, it has permissions


If I make the change to the file in BBEdit, it changes the permissions to


where the @ means extended attributes have been added to the file. In this case, it’s a text encoding attribute. The permissions change doesn’t seem to affect the behavior of the setting, but it can be removed by

xattr -c /etc/pam.d/sudo

It’s a cool feature, for sure, but personally I’d lean towards thinking through if you should be using sudo on your Mac often enough to need it. I’ve found that the only time I really need sudo is when I’m setting up a new Mac and installing Homebrew.

I’ll bet the guys often using the sudo command know what they are doing and aren’t using it more often than they need to. :slightly_smiling_face:

It depends on your approach to a Mac. Many Mac users never need or use sudo and appreciate that macOS insulates them from the need to deal with their Mac as a UNIX machine.

But others spend time at a terminal prompt and appreciate convenience in that experience also.

1 Like

For anything systemwide or dealing with configs in the terminal, it’s sudo.

  • update MacTeX: sudo tlmgr update --all
  • I use MacPorts a lot: sudo port selfupdate;sudo port upgrade outdated;sudo port reclaim;sudo port uninstall leaves;sudo port clean installed;sudo port reclaim
  • and so on

But, I agree, no need to use the shell at all. Then you will never see or use sudo. Which also applies to many modern Linux distributions.

I rarely use sudo on my Mac, but I use it frequently on my VPS. I have been mulling for a while if there is a way to have local Touch ID provide the password via the SSH session. :thinking:

Just use SSH keys. Way more secure than username/password.

If you have the same username on your Mac and VPS:

  • generate a secret/public key pair with: ssh-keygen -t rsa -b 4096 (RSA 4096 is secure. But we are moving towards EdDSA. In that case: ssh-keygen -t ed25519 -a 100). Leave “passphrase” empty.
  • copy the public key to your VPS with: ssh-copy-id username@servername

Done. Just log in with “ssh servername”.


I’m a senior devops engineer with 20+ years of Unix/Linux experience. :slight_smile: I am that guy.

That’s a good use case for sudo, but there might be a different way to do it once like sudo chown -R my_username /usr/local/ or wherever you are installing MacTex to. Or, follow the instructions here to install to your ~/Library. I don’t use TeX anymore so I can’t say for sure.

I’d suggest moving to Homebrew. Again, run sudo once to get it set up, then you never have to run it again because your username owns the directory all your packages are installed to. brew list | wc -l on my MBP says I’ve got 52 packages installed that I use every day.

But, I agree, no need to use the shell at all. Then you will never see or use sudo. Which also applies to many modern Linux distributions.

Not quite what I was getting at, but yes, most folks will never open the terminal. Is it finally The Year of Linux on the Desktop?

Anyway! To each their own. I of all people understand finding a workflow that works for you and sticking with it. :+1:

Well, if you are brave you can always sudo su -, that’ll give you a root shell, then set your username to not need a password to use sudo in vi sudoers. But, eh, caveat emptor.

At the risk of extending a thread that seems to have reached its natural conclusion, I’m going open my mouth and say that too much emphasis is put on the dangers of sudo—for single-user machines, at least.

Not that sudo isn’t dangerous. But the really valuable stuff on my computer is in my home directory, and I can destroy that without any superuser privileges.


No. :smiley: And neither will 2023, 2024, 2025 be…

I prefer MacPorts.

I have a multi-user setup.

1 Like

I do use keys for ssh to the VPS and now have 1Password providing the agent for that. It’s glorious. But my point was about sudo on the VPS. When I need that (reasonably often), I have to type my VPS account’s password. I know it really well and can type it flawlessly about 85% of the time, but those 15% make me want to be able to just use biometrics.

Sorry, got it wrong. For non-critical stuff, i just disable the password request for sudo.

  • root login is disabled
  • username/password disabled, only strong SSH key
  • then it really doesn’t matter if sudo is password-less (virtual instances running Homebridge, Plex, etc.). If anybody goes beyond the SSH key login…feel free to reconfigure my lamps. :smiley:

Oh, that’s an interesting take. I do meet those two criteria already.