Giter Club home page Giter Club logo

Comments (12)

melvinchia avatar melvinchia commented on August 17, 2024 3

glad to know I'm not the only one it works "out-of-the-box" for..

In conclusion: This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

from pam-watchid.

Logicer16 avatar Logicer16 commented on August 17, 2024

Taking a quick look at the source of pam_tid.so it seems it only applies to Touch ID (kLAPolicyDeviceOwnerAuthenticationWithBiometrics) and not Apple Watch (kLAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch). Unless the version distributed in macOS is different from the published sources and does in fact work with a watch, it seems this issue isn't currently applicable here. It is however very relevant to our upstream, so make take a look there.

from pam-watchid.

melvinchia avatar melvinchia commented on August 17, 2024

it does trigger my Apple Watch for permission when I attempt to sudo (with the stock pam_tid.so added in the stock sudo_local)..

from pam-watchid.

fitzage avatar fitzage commented on August 17, 2024

It does not trigger my watch for authentication using the standard sudo_local config. It only triggers touchid.

Edit: Adding this plugin and enabling it in sudo_local breaks sudo completely, though.

sudo: unable to initialize PAM: No such file or directory

from pam-watchid.

Moulick avatar Moulick commented on August 17, 2024

yep, it works, following https://sixcolors.com/post/2023/08/in-macos-sonoma-touch-id-for-sudo-can-survive-updates/ , running sudo triggers both Apple watch and Touch ID at the same time, so you can auth using which ever you can reach first, hella convenient

echo "auth       sufficient     pam_tid.so" | sudo tee -a /etc/pam.d/sudo_local

open new shell and try sudo su

Copying the steps here for posterity

BY DAN MOREN
August 18, 2023 5:33 AM PT

■ MACOS SONOMA
In macOS Sonoma, Touch ID for sudo can survive updates
One of the great things about having a Mac with built-in biometric authentication is not having to constantly type in your password. It’s particularly nice for those of us that work in Terminal, where you can set up Touch ID to authenticate the sudo command that bestows administrative powers.

However there’s been one drawback to enabling that feature: because it means altering a system file, the change wouldn’t generally survive a system update—the file would get overwritten by the stock file every time macOS released a new version, meaning you’d have to go in and make the change again. I’m probably not alone in having given up on having Touch ID enabled, rather than playing the constant cat-and-mouse game.

But wait, there’s good news: in macOS Sonoma, Apple appears to have provided a new framework to work around this problem. As Mastodon user Rachel pointed out, Sonoma allows for an additional file that will persist through updates. So you can make the change once and it should stick.

From what I can tell, this system was put in place precisely for this feature. Apple provides a sudo_local.template file as an example, which not only contains a comment explaining that sudo_local will survive updates, but also even includes the code necessary to enable Touch ID.

So, without further adieu, here are the steps for enabling this feature in macOS Sonoma, once and for all:
Open the Terminal app. Navigate to the directory that stores the authentication files by typing the following:

cd /etc/pam.d

Next, copy Apple’s provided template to the actual file that the system will read. You’ll need to use sudo and enter your administrator password to get permission:

sudo cp sudo_local.template sudo_local

Finally, open up the file you just made using your text editor of choice; I prefer pico. You’ll need to use sudo again here.

sudo pico sudo_local

In that file, navigate to the line that contains with pam_tid.so and delete the hashtag (#) at the beginning. Save the file out by pressing Control-X, typing ‘Y’ to save your changes, and hitting Return.

That’s it; you’re done! We’ll have to wait and see if this truly works as described, but fingers crossed you should be able to keep Touch ID access for sudo for ever and ever.

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @[email protected] or reach him by email at [email protected]. His latest novel, the supernatural detective story All Souls Lost, is out now.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

from pam-watchid.

Moulick avatar Moulick commented on August 17, 2024

There is a 1/2 second gap between the touch-id popup and Apple watch, which does make sense give its two different devices connected over Bluetooth.

from pam-watchid.

OliverJAsh avatar OliverJAsh commented on August 17, 2024

This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

Does it work when the MacBook is in clamshell mode (lid closed)?

from pam-watchid.

deed02392 avatar deed02392 commented on August 17, 2024

I can confirm just enabling pam_tid.so works for Apple Watch Touch ID, but only if you've enabled this in:

System Settings.app -> Touch ID & Password -> Apple Watch: Use Apple Watch to unlock your applications and Mac

Can't test what happens with the clamshell closed because I don't have an external display and am on battery right now, which means I can't prevent the machine from going to sleep before triggering sudo -v after a delay.

from pam-watchid.

Logicer16 avatar Logicer16 commented on August 17, 2024

This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

Does it work when the MacBook is in clamshell mode (lid closed)?

On a related note, does it work on Macs without Touch ID

from pam-watchid.

OliverJAsh avatar OliverJAsh commented on August 17, 2024

Does it work when the MacBook is in clamshell mode (lid closed)?

I've just tested this. It does not.

from pam-watchid.

fitzage avatar fitzage commented on August 17, 2024

After further testing this morning, I realized that my issue is that it doesn’t do the watch when in clamshell mode because it senses there’s no TouchID so it does nothing. It does, however, do the watch when TouchID is available, but I never noticed because I don’t use it that way much and TouchID pops up first.

from pam-watchid.

deed02392 avatar deed02392 commented on August 17, 2024

These are my observations too. I think this suggestion above (#26 (comment)) will probably work from clamshell, but I've not tested yet.

from pam-watchid.

Related Issues (14)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.