Apple Watch authentication for sudo [macOS Sonoma 14.0]

[melvinchia]

It seems that Apple Watch authentication for sudo on macOS Sonoma 14.0 is supported out-of-the-box now.. This doesn't need to be installed for it to work. Seems they've also added support for /etc/pam.d/sudo_local to persist the pam_tid.so line, which is pre-loaded in the OS, but commented out..

[Logicer16]

Taking a quick look at the source of pam_tid.so it seems it only applies to Touch ID (kLAPolicyDeviceOwnerAuthenticationWithBiometrics) and not Apple Watch (kLAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch). Unless the version distributed in macOS is different from the published sources and does in fact work with a watch, it seems this issue isn't currently applicable here. It is however very relevant to our upstream, so make take a look there.

[melvinchia]

it does trigger my Apple Watch for permission when I attempt to sudo (with the stock pam_tid.so added in the stock sudo_local)..

[fitzage]

It does not trigger my watch for authentication using the standard sudo_local config. It only triggers touchid.

Edit: Adding this plugin and enabling it in sudo_local breaks sudo completely, though.

sudo: unable to initialize PAM: No such file or directory

[Moulick]

yep, it works, following https://sixcolors.com/post/2023/08/in-macos-sonoma-touch-id-for-sudo-can-survive-updates/ , running sudo triggers both Apple watch and Touch ID at the same time, so you can auth using which ever you can reach first, hella convenient

echo "auth       sufficient     pam_tid.so" | sudo tee -a /etc/pam.d/sudo_local

open new shell and try sudo su

Copying the steps here for posterity

BY DAN MOREN
August 18, 2023 5:33 AM PT

■ MACOS SONOMA
In macOS Sonoma, Touch ID for sudo can survive updates
One of the great things about having a Mac with built-in biometric authentication is not having to constantly type in your password. It’s particularly nice for those of us that work in Terminal, where you can set up Touch ID to authenticate the sudo command that bestows administrative powers.

However there’s been one drawback to enabling that feature: because it means altering a system file, the change wouldn’t generally survive a system update—the file would get overwritten by the stock file every time macOS released a new version, meaning you’d have to go in and make the change again. I’m probably not alone in having given up on having Touch ID enabled, rather than playing the constant cat-and-mouse game.

But wait, there’s good news: in macOS Sonoma, Apple appears to have provided a new framework to work around this problem. As Mastodon user Rachel pointed out, Sonoma allows for an additional file that will persist through updates. So you can make the change once and it should stick.

From what I can tell, this system was put in place precisely for this feature. Apple provides a sudo_local.template file as an example, which not only contains a comment explaining that sudo_local will survive updates, but also even includes the code necessary to enable Touch ID.

So, without further adieu, here are the steps for enabling this feature in macOS Sonoma, once and for all:
Open the Terminal app. Navigate to the directory that stores the authentication files by typing the following:

cd /etc/pam.d

Next, copy Apple’s provided template to the actual file that the system will read. You’ll need to use sudo and enter your administrator password to get permission:

sudo cp sudo_local.template sudo_local

Finally, open up the file you just made using your text editor of choice; I prefer pico. You’ll need to use sudo again here.

sudo pico sudo_local

In that file, navigate to the line that contains with pam_tid.so and delete the hashtag (#) at the beginning. Save the file out by pressing Control-X, typing ‘Y’ to save your changes, and hitting Return.

That’s it; you’re done! We’ll have to wait and see if this truly works as described, but fingers crossed you should be able to keep Touch ID access for sudo for ever and ever.

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @[email protected] or reach him by email at [email protected]. His latest novel, the supernatural detective story All Souls Lost, is out now.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

[melvinchia]

glad to know I'm not the only one it works "out-of-the-box" for..

In conclusion: This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

[Moulick]

There is a 1/2 second gap between the touch-id popup and Apple watch, which does make sense give its two different devices connected over Bluetooth.

[OliverJAsh]

This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

Does it work when the MacBook is in clamshell mode (lid closed)?

[deed02392]

I can confirm just enabling pam_tid.so works for Apple Watch Touch ID, but only if you've enabled this in:

System Settings.app -> Touch ID & Password -> Apple Watch: Use Apple Watch to unlock your applications and Mac

Can't test what happens with the clamshell closed because I don't have an external display and am on battery right now, which means I can't prevent the machine from going to sleep before triggering sudo -v after a delay.

[Logicer16]

This plugin is NOT REQUIRED on macOS Sonoma, enabling the STOCK pam_tid.so will trigger both Touch ID and Apple Watch for sudo authentication..

Does it work when the MacBook is in clamshell mode (lid closed)?

On a related note, does it work on Macs without Touch ID

[OliverJAsh]

Does it work when the MacBook is in clamshell mode (lid closed)?

I've just tested this. It does not.

[fitzage]

After further testing this morning, I realized that my issue is that it doesn’t do the watch when in clamshell mode because it senses there’s no TouchID so it does nothing. It does, however, do the watch when TouchID is available, but I never noticed because I don’t use it that way much and TouchID pops up first.

[deed02392]

These are my observations too. I think this suggestion above (#26 (comment)) will probably work from clamshell, but I've not tested yet.

[Bubba8291]

I can confirm just enabling pam_tid.so works for Apple Watch Touch ID, but only if you've enabled this in:

System Settings.app -> Touch ID & Password -> Apple Watch: Use Apple Watch to unlock your applications and Mac

Can't test what happens with the clamshell closed because I don't have an external display and am on battery right now, which means I can't prevent the machine from going to sleep before triggering sudo -v after a delay.

@deed02392 Is there a way to use my watch and Touch ID for sudo without having my computer be unlocked with my watch? I despise that you cannot require a prompt from the watch or just a way to lock the computer from the watch.

One of my friends would unlock my MacBook when I walk away by picking it up and bringing it close to me then going back to where they were.

[linkarzu]

Hey @Logicer16 I noticed you have a fork of this repo that is maintained, do you happen to know if this works with a mac mini without touchID? I do have a magic keyboard stored that I don't want to use
And just to confirm, on my laptop, I don't need this pam-watchid it works with the new sudo_local file Apple released, and it even works when inside Tmux with pam_reattach
I'm just trying to make it work on my mac mini with my apple watch but without Touch ID, any thoughts or advice?

[linkarzu]

If I connect the magic keyboard to my mac mini, it does enable Touch ID and sudo works with my apple watch, just using the sudo_local file, without the need of using this pam-watchid repo, I just want to leave the keyboard out of the picture and unlock my mac mini without touch ID, but with my apple watch

[deed02392]

Does watch auth work just by virtue of the touch id being registered? You could always simply leave it registered and then put the keyboard away again

[linkarzu]

Does watch auth work just by virtue of the touch id being registered? You could always simply leave it registered and then put the keyboard away again

Yes @deed02392, watch auth works by just having the keyboard with touch id on, as soon as I turn off the magic keyboard, touch ID is turned off automatically in system settings, and watch auth stops working.
So for it to work, I need to have the keyboard on and that's what I'm trying to avoid

[deed02392]

ah, that is similar to other comments from this thread. It sounded like the issue was in the Apple applied Pam_tid library

[Logicer16]

do you happen to know if this works with a mac mini without touchID

Yes, it should still work. Up until earlier this year, I've been using my fork without issue on a MacBook without Touch ID.

The install script in my fork adds both pam_tid and pam_watchid to sudo_local in macOS Sonoma and later. This means it will automatically fall back to pam_watchid when the native pam_tid is unavailable or on the off chance they do ever make pam_tid just Touch ID. This comes at the cost of having to press cancel on two prompts if you want to use your password, but at least you know for sure you will be able to authenticate with at least one module.

example `sudo_local` created by my fork

# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       sufficient     pam_tid.so
auth sufficient pam_watchid.so

If you encounter any issues, please do let me know.

---

sounded like the issue was in the Apple applied Pam_tid library

The difference lies in the policy used by each module. pam_watchid uses deviceOwnerAuthenticationWithBiometricsOrCompanion/deviceOwnerAuthenticationWithBiometricsOrWatch:

https://github.com/Logicer16/pam-watchid/blob/8e62fadf13c3078feca6f9580e5e04289de99c50/watchid-pam-extension.swift#L83-L87

Whereas pam_tid uses deviceOwnerAuthenticationWithBiometrics:

https://github.com/apple-oss-distributions/pam_modules/blob/pam_modules-212/modules/pam_tid/pam_tid.c#L134

As per the docs for the latter:

Policy evaluation fails if Touch ID or Face ID is unavailable or not enrolled.

The fact it also prompts for watch authentication is undocumented behaviour and possibly a bug.

[linkarzu]

Thanks for that @Logicer16, I tried using your repo, but I got the following error:

❯ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/logicer16/pam-watchid/HEAD/install.sh)" -- enable
Cloning into 'pam-watchid'...
remote: Enumerating objects: 83, done.
remote: Counting objects: 100% (38/38), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 83 (delta 27), reused 23 (delta 23), pack-reused 45 (from 1)
Receiving objects: 100% (83/83), 1.27 MiB | 1.11 MiB/s, done.
Resolving deltas: 100% (42/42), done.
swiftc watchid-pam-extension.swift -o pam_watchid_x86_64.so -target x86_64-apple-darwin23.6.0 -emit-library
watchid-pam-extension.swift:84:10: error: type 'LAPolicy' has no member 'deviceOwnerAuthenticationWithBiometricsOrCompanion'
        .deviceOwnerAuthenticationWithBiometricsOrCompanion
        ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make: *** [all] Error 1

The part deviceOwnerAuthenticationWithBiometricsOrCompanion made me think that you actually need to have touch id for this to work, but according to what you're saying, that's not the case

Keep in mind that I'm using Apple's pam_tid.so file, this is what my sudo_local currently looks like, and pam_reattach.so is working fine on my MacBook with touch ID. Do you know by any change if I'm missing on my mac mini, any idea on why I got the error above?

[24/10/30] kubernetes ()
❯ cat sudo_local
# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       optional       /opt/homebrew/lib/pam/pam_reattach.so
auth       sufficient     pam_tid.so

[email protected]/etc/pam.d🔒
[24/10/30] kubernetes ()
❯ cat sudo
# sudo: auth account password session
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

[Logicer16]

My fault. Should be fixed now. Wasn't thinking of older macOS versions when I made that change. deviceOwnerAuthenticationWithBiometricsOrCompanion is a new policy only available in the macOS Sequoia and later SDKs. "Companion" includes watches paired to a mac, or (what I assume is) a mac connected to iPhone mirroring.

If you find any other issues, consider opening an issue on my fork to keep this issue on topic.

[linkarzu]

Appreciate it @Logicer16, I forgot to mention that I'm still using Sonoma, I'm out today, so I cannot test this, I will test it probably tomorrow and will let you know.
Thanks for enabling issues in your repo, I tried to start a discussion yesterday but wasn't able to, so I tagged you here.
If it all works, I'll probably create a YouTube video explaining how to set stuff up, if you're ok with that (in case you get a few issues created by other folks)

[linkarzu]

I created a video on how to set all of this up in case someone is interested

• Link to my video with the entire setup process here
• If you don't like videos, link to my blogpost here