Home
Softono
sudo-touchid

sudo-touchid

Open source Shell
Website GitHub
672
Stars
17
Forks
3
Issues
3
Watchers
1 month
Last Commit
SSO & Authentication

About sudo-touchid

sudo-touchid is a Bash script that enables TouchID authentication for the sudo command on macOS. It automates the configuration of PAM to allow fingerprint authentication when running sudo in Terminal, similar to how Safari handles authentication. On macOS 14 and later, it creates or updates the /etc/pam.d/sudolocal file without modifying system-managed files, ensuring configurations persist across system updates. For macOS 13 and earlier, it supports legacy configurations and includes automatic migration. The script supports pamreattach for tmux and screen compatibility, allowing TouchID to work properly in detached sessions. Key features include fast and reliable setup, no external dependencies, optional GUI session reattachment support, and detailed verbose or quiet output modes. Usage involves running sudo-touchid with no arguments to enable TouchID, or with -d to disable it. The script can be installed via Homebrew, downloaded directly, or run via curl without installation. Options include --with-reattac

Platforms

Web Self-hosted macOS

Languages

Shell

Links

Website Source Code
a
Published by
artginzburg
Visit View Profile

README.md

View on GitHub
Icon

sudo-touchid

Downloads Donate

Native and reliable TouchID support for sudo

Try it out     without installing

curl -sL git.io/sudo-touch-id | sh

Now sudo is great, just like Safari — with your fingerprint in Terminal.

Don't worry, you can also reverse it

Result:

Preview

Just type git.io/sudotouchid to go here.

Features

  • Fast & reliable
  • Written in Bash — no dependencies
  • pam_reattach support for tmux/screen compatibility (GUI session reattachment)
  • Supports modern and legacy systems: For macOS 13 and below, see LEGACY_MACOS.md


Install

Via 🍺 Homebrew

brew install artginzburg/tap/sudo-touchid

Check out the formula if you're interested


Usage

Copy and run this command:

sudo-touchid

It adds TouchID to sudo configuration, or migrates an existing legacy configuration if you're upgrading from macOS 13 or below.

# Usage:
sudo-touchid [options]
             [-v,  --version]   # Output installed version
             [-d,  --disable]   # Remove TouchID from sudo config
             [--with-reattach]  # Include pam_reattach.so for tmux/screen support
             [--migrate]        # Migrate from legacy configuration
             [--verbose]        # Show detailed output
             [-q,  --quiet]     # Show minimal output (errors only)
             [-y,  --yes]       # Skip confirmation prompts (non-interactive mode)

if not installed, can be used via curl bundled with macOS

sh <( curl -sL git.io/sudo-touch-id )

Accepts the same arguments, like -d or -v.


Why?

  • Productivity: Automates TouchID setup
  • Lightweight: Small Bash script, no builds or Xcode required
  • Reliable: Persistent configuration across system updates


How does it work?

For macOS 14+:

  • Creates /etc/pam.d/sudo_local with TouchID configuration
  • Never modifies system-managed /etc/pam.d/sudo file

All versions:

  • Has a --disable (-d) option that removes all TouchID configurations.
  • Optional --with-reattach for GUI session reattachment support
  • Creates backup files during migration
  • Automatically detects and migrates legacy configurations

Manual installation

Just save sudo-touchid.sh as /usr/local/bin/sudo-touchid with execute permissions

See LEGACY_MACOS.md for additional considerations on older systems


Related

  • tmux/screen support: pam_reattach module (built-in via --with-reattach)
  • Apple Watch support: pam_watchid module
  • Disable password prompt: Change %admin ALL=(ALL) ALL to %admin ALL=(ALL) NOPASSWD: ALL in /etc/sudoers