Do you own a mac mini using a keyboard without touch ID, or you have a mac without touch ID but you have an apple watch and would like to authenticate your sudo commands with the watch?
I use a mac mini as my daily driver, my main keyboard for many years was a magic keyboard with touch ID
magic keyboard with touch ID
But around 2 months ago I switched to a glove80, and as you’re able to tell, this is not an apple product, so it doesn’t have touch ID, and mac mini’s don’t include touch ID either
I’ll review the glove80 soon, so subscribe on YouTube to find out
glove80 keyboard
I spend most of my day in my terminal doing stuff, and I sometimes need to type my sudo password in the terminal, and its a bit annoying because I have an apple watch that I use to authenticate basically everywhere else
In this video I’ll help you setup macOS so that the sudo authentication requests are sent to your apple watch instead of typing the password
auth request sent from terminal to apple watch
Disclaimer
Follow this guide at your own risk
I’m not responsible for:
Broken macs
Security issues related to any of the repos used
Authentication problems with sudo
Any other issues that may arise from following this guide
Make sure you understand what you’re doing before making changes to system files
I don’t recommend you doing this in a work or company computer. If protected by a firmware password and you mess things up, you may need to enter safe mode and you probably won’t have that password
Requirements
This tutorial is for macOS
You need an apple watch (mine is a series 8, haven’t tested others)
I use an M1 mac mini running sequoia, not sure if:
This works on intel based macs
Older OS versions
You do not need a keyboard or mac with touch ID
A link to my guide will be in the video description
So you can copy all the commands
So you can also find all the links I share
testing other thing
If you like this, and want to support me
This helps me to keep creating content and sharing it
If 1 or more of the 2 above are not true, keep reading
You’re using macOS Sonoma or above (according to the source above)
This section following only works if outside of tmux
If you want this to work when in tmux, first you need to install pam_reattach
1
brew install pam-reattach
If you don’t know how to install brew first watch this video
After this you need to first create the sudo_local file and it needs to have these 2 lines:
optional that points to pam_reattach
sufficient that points to pam_tid.so
The command below removes the # character from the beginning of lines that start with #auth in the file /etc/pam.d/sudo_local.template and writes the modified content to /etc/pam.d/sudo_local.
It also adds the pam_reattach line above the pam_tid.so line.
The i command tells sed to insert the specified text before the line that matches the pattern. In BSD sed
The backslash (\) at the end of the line indicates that the text to insert continues on the next line.
Run the command below if you’re a tmux user, it will add both lines needed
Before running the command below make sure that pam reattach is in this directory, for apple silicon macs it is, if it’s not there read the docs in pam_reattach
1
ls /opt/homebrew/lib/pam/pam_reattach.so
1
2
3
4
linkarzu.@.mini/etc/pam.d🔒
[24/11/10] kubernetes ()
❯ ls /opt/homebrew/lib/pam/pam_reattach.so
/opt/homebrew/lib/pam/pam_reattach.so
If the file is there run this command
1
2
sed-e's/^#auth/auth/'-e'/pam_tid.so/i\
auth optional /opt/homebrew/lib/pam/pam_reattach.so' /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local
Run the command below if you’re NOT a tmux user, it will add a single line
1
2
sudo rm /etc/pam.d/sudo_local
sed"s/^#auth/auth/" /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local
This is how my file looks after running the command for tmux
1
2
cd /etc/pam.d
cat sudo_local
1
2
3
4
5
6
7
linkarzu.@.mini/etc/pam.d🔒
[24/10/30] kubernetes ()
❯ cat sudo_local
# sudo_local: local config file which survives system update and is included for sudo# uncomment following line to enable Touch ID for sudo
auth optional /opt/homebrew/lib/pam/pam_reattach.so
auth sufficient pam_tid.so
The sudo file by default reads the contents of the sudo_local file
This is what my file looks like after running the script, so I have to edit it to remove a few lines
1
2
3
4
5
6
7
8
9
10
11
12
linkarzu.@.mini/etc/pam.d🔒 took 4s
[24/11/10] kubernetes ()
❯ cat sudo_local
# sudo_local: local config file which survives system update and is included for sudo# uncomment following line to enable Touch ID for sudo
auth optional /opt/homebrew/lib/pam/pam_reattach.so
auth sufficient pam_watchid.so
auth sufficient pam_tid.so
# sudo_local: local config file which survives system update and is included for sudo# uncomment following line to enable Touch ID for sudo
auth sufficient pam_tid.so
auth sufficient pam_watchid.so
I use vim with sudo to edit my file
1
sudo vim sudo_local
This is what the file looks like after cleanup
Remember that I have pam_reattach.so because I use tmux and I have it installed, if you don’t have that installed, don’t add this line
1
2
3
4
5
6
7
8
linkarzu.@.mini/etc/pam.d🔒 took 10s
[24/11/10] kubernetes ()
❯ cat sudo_local
# sudo_local: local config file which survives system update and is included for sudo# uncomment following line to enable Touch ID for sudo
auth optional /opt/homebrew/lib/pam/pam_reattach.so
auth sufficient pam_tid.so
auth sufficient pam_watchid.so
Manual installation
On the other hand, in case you want to manually clone the repo, then run the makefile
Notice there were no errors
If you already ran the script above, don’t run these commands below
1
2
3
4
5
mkdir-p ~/github
cd ~/github
git clone https://github.com/Logicer16/pam-watchid.git
cd pam-watchid
sudo make install
linkarzu.@.mini~/github/pam-watchid on main via 🐦 v6.0.2
[24/11/05] kubernetes ()
❯ ls /usr/local/lib/pam/pam_watchid.so.2
/usr/local/lib/pam/pam_watchid.so.2
After its installed, you can add it to your sudo_local file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
linkarzu.@.mini/etc/pam.d🔒 took 3s
[24/11/05] kubernetes ()
❯ cat sudo# sudo: auth account password session
auth include sudo_local
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
linkarzu.@.mini/etc/pam.d🔒
[24/11/05] kubernetes ()
❯ cat sudo_local
# sudo_local: local config file which survives system update and is included for sudo# uncomment following line to enable Touch ID for sudo
auth optional /opt/homebrew/lib/pam/pam_reattach.so
auth sufficient pam_watchid.so
auth sufficient pam_tid.so
After this, with my magic keyboard off and using my mac mini I get sudo notifications on my apple watch
I have issues installing pam-watchid
I do not own this repo, but the maintainer was kind enough to enable issues and helped me solve an issue I had when trying to set it up
Yeah, it happened to me during the testing phase, I f*7cked up and wasn’t able to run sudo commands anymore
This happened because I added a pam_watchid.so from a repo that was not maintained anymore to my sudo_local file, that file was never found, so I couldn’t run sudo commands
I don’t remember the exact details, but here’s an overview of what I did, I don’t remember the exact error I received, but if you google that error, you’ll be able to find the instructions
I turned off my M1 mac mini and started it in safe mode (by holding the power button for some time until I saw something on the screen)
Then open disk utility and then mount your data partition
Quit disk utility and open the terminal Utilities - Terminal
Then navigate to the directory /Volumes/Macintosh HD/private/etc/pam.d