Apple Watch authentication for sudo [macOS Sonoma 14.0]

[melvinchia]

It seems that Apple Watch authentication for sudo on macOS Sonoma 14.0 is supported out-of-the-box now.. This doesn't need to be installed for it to work. Seems they've also added support for /etc/pam.d/sudo_local to persist the pam_tid.so line, which is pre-loaded in the OS, but commented out..

[Logicer16]

Taking a quick look at the source of pam_tid.so it seems it only applies to Touch ID (kLAPolicyDeviceOwnerAuthenticationWithBiometrics) and not Apple Watch (kLAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch). Unless the version distributed in macOS is different from the published sources and does in fact work with a watch, it seems this issue isn't currently applicable here. It is however very relevant to our upstream, so make take a look there.

[melvinchia]

it does trigger my Apple Watch for permission when I attempt to sudo (with the stock pam_tid.so added in the stock sudo_local)..

[fitzage]

It does not trigger my watch for authentication using the standard sudo_local config. It only triggers touchid.

Edit: Adding this plugin and enabling it in sudo_local breaks sudo completely, though.

sudo: unable to initialize PAM: No such file or directory

[Moulick]

yep, it works, following https://sixcolors.com/post/2023/08/in-macos-sonoma-touch-id-for-sudo-can-survive-updates/ , running sudo triggers both Apple watch and Touch ID at the same time, so you can auth using which ever you can reach first, hella convenient

echo "auth       sufficient     pam_tid.so" | sudo tee -a /etc/pam.d/sudo_local

open new shell and try sudo su

Copying the steps here for posterity

BY DAN MOREN August 18, 2023 5:33 AM PT [■ MACOS SONOMA](https://sixcolors.com/tag/macos-sonoma/) In macOS Sonoma, Touch ID for sudo can survive updates One of the great things about having a Mac with built-in biometric authentication is not having to constantly type in your password. It’s particularly nice for those of us that work in Terminal, where you can [set up Touch ID to authenticate the sudo command](https://sixcolors.com/post/2020/11/quick-tip-enable-touch-id-for-sudo/) that bestows administrative powers. However there’s been one drawback to enabling that feature: because it means altering a system file, the change wouldn’t generally survive a system update—the file would get overwritten by the stock file every time macOS released a new version, meaning you’d have to go in and make the change again. I’m probably not alone in having given up on having Touch ID enabled, rather than playing the constant cat-and-mouse game. But wait, there’s good news: in macOS Sonoma, Apple appears to have provided a new framework to work around this problem. As [Mastodon user Rachel pointed out](https://mastodon.social/@StrangeNoises/110910261899874868), Sonoma allows for an additional file that will persist through updates. So you can make the change once and it should stick. From what I can tell, this system was put in place precisely for this feature. Apple provides a sudo_local.template file as an example, which not only contains a comment explaining that sudo_local will survive updates, but also even includes the code necessary to enable Touch ID. So, without further adieu, here are the steps for enabling this feature in macOS Sonoma, once and for all: Open the Terminal app. Navigate to the directory that stores the authentication files by typing the following: `cd /etc/pam.d` Next, copy Apple’s provided template to the actual file that the system will read. You’ll need to use sudo and enter your administrator password to get permission: `sudo cp sudo_local.template sudo_local` Finally, open up the file you just made using your text editor of choice; I prefer pico. You’ll need to use sudo again here. `sudo pico sudo_local` In that file, navigate to the line that contains with pam_tid.so and delete the hashtag (#) at the beginning. Save the file out by pressing Control-X, typing ‘Y’ to save your changes, and hitting Return. That’s it; you’re done! We’ll have to wait and see if this truly works as described, but fingers crossed you should be able to keep Touch ID access for sudo for ever and ever. [Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at [@dmoren@zeppelin.flights](https://zeppelin.flights/@dmoren) or reach him by email at dan@sixcolors.com. His latest novel, the supernatural detective story All Souls Lost, [is out now](https://dmoren.com/all-souls-lost/).] If you appreciate articles like this one, support us by [becoming a Six Colors subscriber](https://sixcolors.com/subscribe/). Subscribers get access to an exclusive podcast, members-only stories, and a special community.

[melvinchia]

glad to know I'm not the only one it works "out-of-the-box" for..

In conclusion: This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

[Moulick]

There is a 1/2 second gap between the touch-id popup and Apple watch, which does make sense give its two different devices connected over Bluetooth.

[OliverJAsh]

This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

Does it work when the MacBook is in clamshell mode (lid closed)?

[deed02392]

I can confirm just enabling pam_tid.so works for Apple Watch Touch ID, but only if you've enabled this in:

System Settings.app -> Touch ID & Password -> Apple Watch: Use Apple Watch to unlock your applications and Mac

Can't test what happens with the clamshell closed because I don't have an external display and am on battery right now, which means I can't prevent the machine from going to sleep before triggering sudo -v after a delay.

[Logicer16]

This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

Does it work when the MacBook is in clamshell mode (lid closed)?

On a related note, does it work on Macs without Touch ID

[OliverJAsh]

Does it work when the MacBook is in clamshell mode (lid closed)?

I've just tested this. It does not.

[fitzage]

After further testing this morning, I realized that my issue is that it doesn’t do the watch when in clamshell mode because it senses there’s no TouchID so it does nothing. It does, however, do the watch when TouchID is available, but I never noticed because I don’t use it that way much and TouchID pops up first.

[deed02392]

These are my observations too. I think this suggestion above (https://github.com/biscuitehh/pam-watchid/issues/26#issuecomment-1767724759) will probably work from clamshell, but I've not tested yet.

[Bubba8291]

I can confirm just enabling pam_tid.so works for Apple Watch Touch ID, but only if you've enabled this in:

System Settings.app -> Touch ID & Password -> Apple Watch: Use Apple Watch to unlock your applications and Mac

Can't test what happens with the clamshell closed because I don't have an external display and am on battery right now, which means I can't prevent the machine from going to sleep before triggering sudo -v after a delay.

@deed02392 Is there a way to use my watch and Touch ID for sudo without having my computer be unlocked with my watch? I despise that you cannot require a prompt from the watch or just a way to lock the computer from the watch.

One of my friends would unlock my MacBook when I walk away by picking it up and bringing it close to me then going back to where they were.