The general idea is to edit the Pluggable Authentication Module (PAM) daemon sudo config file, and add the Touch ID module as the first type of authentication presented.
Create a script (preferred)
Several tutorials exist online explaining how to edit the PAM sudo file manually, which I also explain later in this post. However, I noticed after every time MacOS is updated, I need to reapply the fix. So, I decided to write a script to automate the process. This way, after updating MacOS, I simply execute my script.
First, open an empty file, e.g.:
nano ~/enable_touch_id.sh
Copy the following code, and paste it to the file.
#!/bin/bash
# Add Touch ID line to beginning of sudo file.
sed -i '' '2i\
auth sufficient pam_tid.so\
' /etc/pam.d/sudo
If you don't care why I split this sed command into several lines, then do yourself a favor and skip this paragragh. If you're curious, then you're a major geek. I did this, because it is the POSIX specification. The GNU version of sed uses an extension to allow you to enter the text on the same line. Mac uses the BSD version of sed, and the newline character is not recognized. So, escaping the literal does the trick. Several other ways exist to achieve the same result, but I will not list them here. Also, it is important not use double quotes here. A double-quoted string is processed by the shell first, and the newlines will be removed. Although, you could escape the escape by using double slashes. :)
Make the script executable.
chmod +x ~/enable_touch_id.sh
Run the script using sudo. This time you will have to authenticate by typing your password.
sudo ~/enable_touch_id.sh
Done! Now, you should be able to authenticate sudo commands using Touch ID.
Manually editing the file
If you don't like the idea of automating the process, the instructions below will guide you through the process of manually editing the file. If you had issues running the previously mentioned script, please let me know so I can update this post.
Open the /etc/pam.d/sudo file, e.g.:
sudo nano /etc/pam.d/sudo
Add the following line as the first line, under the comment.
auth sufficient pam_tid.so
The completed file will probably look like the following.
# sudo: auth account password session
auth sufficient pam_tid.so
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
When editing PAM files, it's best to keep the editor open, save the file, and verify everything is working correctly before exiting the editor.
Once verified as working, you may exit the file, Ctrl+x.
Troubleshooting
If you run into a situation where you can't use sudo, and you're getting an error similar to:
sudo: unable to initialize PAM: No such file or directory
Then, it's likely the formatting of the sudo file is incorrect, or an extra character was accidently added somewhere. If this happens, an easy fix is to overwite the incorrect sudo file with a correct version using Finder.
- Create a correct sudo file in your home directory using the completed file I mentioned previously.
- Open Finder, in the menu click Go -> Go To Folder.
- Enter /etc/pam.d in the box, and click the Go button.
- Move the file from your home directory to that folder in Finder.
- Click on the prompt to Authenticate.
- Click on the prompt to overwrite the existing file.
- Use either the Touch ID or password to authenticate.
Voila! You should be able to use sudo again.