About five months ago, I followed the steps in this article: Use TouchID to Authenticate sudo on macOS via HN so that I could use my fingerprint to complete actions that require
Other than using TouchID to login at the start of my day, I rarely use the TouchID button on my MacBook Pro for much else, so I liked the added convenience this feature offered.
I have been putting off updating to macOS Ventura for several weeks now, but I made a mental note: whenever I do succumb to doing an major OS update, I would re-apply my TouchID changes because such changes do not survive a major OS update.
Fast-forward to today and I only just realized that my changes had been overwritten. At the time I enabled TouchID with
sudo on August 27, 2022, I was on macOS Monterey 12.3.1. About a month later, on September 26, I updated to Monterey 12.6.
It turns out that, even for a minor OS update, those changes will be overwritten by macOS. I had incorrectly assumed such changes will only be overwritten by a major update i.e. moving from Big Sur to Monterey or Monterey to Ventura.
I'm still trying to come up with a safe and repeatable way to automatically apply these changes after an OS update, but for the time being, I'm simply going to spell out all the steps in this article so I can quickly copy-paste just the bits that I need for my future self.
Step 1: view the contents of
cat /etc/pam.d/sudo # sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so
Step 2: make a backup of
/etc/pam.d/sudo so any typos can easily be reverted (ask me how I know 🤦♂️). Note that macOS wont allow you write to
/etc/ so choose a location that is writable like
cp /etc/pam.d/sudo ~/etc-pam.d-sudo
Step 3: add the following line:
auth sufficient pam_tid.so directly below the first line
auth sufficient pam_smartcard.so inside the file
# even though it's a small edit, doing it manually is error-prone sudo vim /etc/pam.d/sudo
or, if you are lazy like me, use this one-liner instead:
# this one-liner is much safer sudo perl -pi -e 's/(pam_smartcard.so)/$1\nauth sufficient pam_tid.so/' /etc/pam.d/sudo
Step 4: review the updated file
/etc/pam.d/sudo to confirm your changes:
cat /etc/pam.d/sudo # sudo: auth account password session auth sufficient pam_smartcard.so auth sufficient pam_tid.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so