mattrajca / sudo-touchid

A fork of `sudo` with Touch ID support.
1.54k stars 47 forks source link

macOS already supports this #30

Open breun opened 6 years ago

breun commented 6 years ago

Although this is a cool project, if you add the following line to the top of /etc/pam.d/sudo there is no need to replace sudo:

auth       sufficient     pam_tid.so

It might be nice to point this out in the README.

DenWav commented 6 years ago

Wow, thanks for the tip! Been using this since I got my MacBook, cool to see a native solution exists.

lucasjohnston commented 6 years ago

You're right to point out that macOS already supports TouchID with sudo, but to do so requires a system config change (editing your /etc/pam.d/sudo file). This means that you will not be able to use sudo when SSHing in, because you can't send your fingerprint through the internet

Also, I'd generally lean towards avoiding editing core system config files if possible, but that's just my personal opinon! The way I use this project is by building the binary with a different name (I personally use lucasudo :wink:) and sticking it in /usr/local/bin. Doing this means I'm not overriding my system's sudo, which imo is a safer option - and allows me to continue using sudo over SSH.

This is down to personal preference really, but I completley agree that pointing out both options in the readme would be a good idea.

rkujawa commented 5 years ago

@lucasjohnston You can still use sudo over ssh even if you enable this, since pam_tid.so in the example above is marked as "sufficient". I.e. it is allowed to fail and the authentication mechanism will happily fall through to the next module.