About five months ago, I followed the steps in this article: Use TouchID to Authenticate sudo on macOS via HN so that I could use my fingerprint to complete actions that require sudo privileges.

Other than using TouchID to login at the start of my day, I rarely use the TouchID button on my MacBook Pro for much else, so I liked the added convenience this feature offered.

I have been putting off updating to macOS Ventura for several weeks now, but I made a mental note: whenever I do succumb to doing an major OS update, I would re-apply my TouchID changes because such changes do not survive a major OS update.

Fast-forward to today and I only just realized that my changes had been overwritten. At the time I enabled TouchID with sudo on August 27, 2022, I was on macOS Monterey 12.3.1. About a month later, on September 26, I updated to Monterey 12.6.

It turns out that, even for a minor OS update, those changes will be overwritten by macOS. I had incorrectly assumed such changes will only be overwritten by a major update i.e. moving from Big Sur to Monterey or Monterey to Ventura.

I'm still trying to come up with a safe and repeatable way to automatically apply these changes after an OS update, but for the time being, I'm simply going to spell out all the steps in this article so I can quickly copy-paste just the bits that I need for my future self.

Step 1: view the contents of /etc/pam.d/sudo:

cat /etc/pam.d/sudo
# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Step 2: make a backup of /etc/pam.d/sudo so any typos can easily be reverted (ask me how I know 🤦‍♂️). Note that macOS wont allow you write to /etc/ so choose a location that is writable like /Users/<account> :

cp /etc/pam.d/sudo ~/etc-pam.d-sudo

Step 3: add the following line: auth sufficient pam_tid.so directly below the first line auth sufficient pam_smartcard.so inside the file /etc/pam.d/sudo:

# even though it's a small edit, doing it manually is error-prone
sudo vim /etc/pam.d/sudo 

or, if you are lazy like me, use this one-liner instead:

# this one-liner is much safer
sudo perl -pi -e 's/(pam_smartcard.so)/$1\nauth       sufficient     pam_tid.so/' /etc/pam.d/sudo

Step 4: review the updated file /etc/pam.d/sudo to confirm your changes:

cat /etc/pam.d/sudo
# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       sufficient     pam_tid.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Done!