Open kaihowl opened 3 months ago
The UseKeychain option is specific to macOS. https://www.unixtutorial.org/ssh-bad-configuration-option-usekeychain/?
https://www.reddit.com/r/bash/comments/62dv3n/can_i_use_the_mac_login_keychain_to_execute_sudo/ uses the keychain to access the password, which then grants sudo. This is indirect and requires the login password to be stored in the login keychain. This is strange. Also the biometric login does not work directly.
Is there no way to trigger the biometric login with a sudo configuration option instead?
See https://ss64.com/mac/sudo.html for biometric sudo.
That is only the partial information. https://github.com/fabianishere/pam_reattach is needed from homebrew as well based on info from https://apple.stackexchange.com/questions/259093/can-touch-id-on-mac-authenticate-sudo-in-terminal.
This is a lot of additional (unvetted) infra to avoid typing a password. I am not convinced that this is the way to go.
If going down this road, remember that /etc/pam.d/sudo might be overridden by system updates. Modifications should be put into the included template file instead.
AddKeysToAgent and UseKeychain are both required (see this). Then the login keychain will have the sport the ssh password.