Quick Tip: Enable Touch ID for Sudo (2020)

414 点作者 polycaster将近 3 年前

34 条评论

pil0u将近 3 年前

Around 2014, I read a security researcher's article stating that biometrics should be used as an identifier at best, but never as a password. “You can change a password, but you cannot change your fingerprint”.From that day on, I’ve never used biometrics system used as authentication.With a increasing use of biometrics on phones, should I think differently in 2022?

评论 #31750939 未加载

评论 #31750805 未加载

评论 #31751534 未加载

评论 #31750821 未加载

评论 #31750802 未加载

评论 #31756272 未加载

评论 #31751724 未加载

评论 #31751942 未加载

评论 #31751266 未加载

评论 #31759802 未加载

评论 #31754457 未加载

评论 #31750803 未加载

评论 #31761369 未加载

评论 #31750786 未加载

评论 #31753914 未加载

评论 #31757466 未加载

评论 #31751950 未加载

评论 #31750826 未加载

评论 #31760410 未加载

评论 #31750812 未加载

评论 #31751064 未加载

评论 #31752225 未加载

评论 #31761576 未加载

评论 #31756732 未加载

评论 #31750785 未加载

delogos将近 3 年前

Speaking from personal experience, don't do this on a machine you'll ever access remotely, because then you're stuck waiting for the biometric check to time out before you can authenticate via another method.

评论 #31754351 未加载

评论 #31756735 未加载

评论 #31754338 未加载

评论 #31758007 未加载

评论 #31753293 未加载

评论 #31759192 未加载

yuriyguts将近 3 年前

I love using sudo with Touch ID and have been using this trick for years. The only inconvenience is that the PAM configuration always gets reverted by OS updates.I wrote a small tool to mitigate this by configuring PAM on system startup: <a href="https://github.com/YuriyGuts/persistent-touch-id-sudo" rel="nofollow">https://github.com/YuriyGuts/persistent-touch-id-sudo</a>

评论 #31751551 未加载

评论 #31751101 未加载

irusensei将近 3 年前

Order matters. Lets say you already have a registered yubikey or similar smart card. The /etc/pam.d/sudo file might look like this:<pre><code> # sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so </code></pre> So if for some reason you want to have both Touch ID and the smart card authentication as options you might want to do this:<pre><code> # sudo: auth account password session auth sufficient pam_smartcard.so auth sufficient pam_tid.so ... </code></pre> It will ask for smart card first but if a smart card is unavailable or authentication fails the touch mechanism will be requested. If you invert those parameters the order also gets changed.

Reason077将近 3 年前

This is pretty neat.But one annoyance is that on macOS Monterey, the authentication pop-up dialog doesn't have focus when it appears. You first need to click on it before you can use Touch ID. That slows the whole process down to the point where it's probably just quicker and easier to use your password.Is there any way to make the pop-up automatically get focus, or is that itself a security risk somehow?(Side note: the same module enables authentication by Apple Watch too! But again, having to take your hands off the keyboard to tap the Apple Watch to approve the request slows down the process so much that it's hardly worth it)

评论 #31752926 未加载

评论 #31752398 未加载

评论 #31752508 未加载

评论 #31760480 未加载

评论 #31752235 未加载

评论 #31755290 未加载

pxeger1将近 3 年前

For people complaining that this gets reset by macOS updates, I think this should work (I haven't tested this on macOS, but it works for me on Arch Linux):1. Copy /etc/pam.d/sudo to /etc/pam.d/customsudo and add "auth sufficient pam_tid.so" to that file instead.2. Create the directory /etc/sudoers.d/ if it does not exist3. Create the file /etc/sudoers.d/customtouchid with the following content:<pre><code> Defaults pam_service=customsudo </code></pre> You may need to set the right permissions on /etc/sudoers.d/customtouchid before sudo will accept it.

评论 #31755114 未加载

hsbauauvhabzb将近 3 年前

I lock my computer when not near it. If my computer is breached, having user level access of the one account permitted sudo is pretty much Crown Jewels. If you really wanted to privesc you could sniff X11 keystrokes or back door bashrc, but either way even user level access screws me so whatever do what you want after that.As a result, I just enable passwordless sudo.

评论 #31751183 未加载

评论 #31755948 未加载

评论 #31754915 未加载

paulcole将近 3 年前

ITT: “Ackshully if your threat model includes James Bond level tradecraft this is a bad idea.”Spoiler alert: Essentially nobody’s threat model includes that.

georgelyon将近 3 年前

Does anyone know why Apple doesn’t make this standard? I’ve been using this on and off for many years and only stop because I get frustrated after an OS update reverts it. Are there licensing/security/compatibility reasons this may be the case? Seems like an easy fix.

fastball将近 3 年前

If you want to do the same but auth with your Apple Watch, you can follow this[1] guide.[1] <a href="https://akrabat.com/add-apple-watch-authentication-to-sudo/" rel="nofollow">https://akrabat.com/add-apple-watch-authentication-to-sudo/</a>

评论 #31763769 未加载

DavideNL将近 3 年前

For some reason, this only seems to accepts my Apple Watch as authentication, but not the fingerprint sensor... any idea why? (fingerprint works to authenticate in System Preferences, etc.)<pre><code> $ cat sudo # sudo: auth account password session auth sufficient pam_tid.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so</code></pre>

willis936将近 3 年前

This is a similar project for WSL. I love it.<a href="https://github.com/nullpo-head/WSL-Hello-sudo" rel="nofollow">https://github.com/nullpo-head/WSL-Hello-sudo</a>

zakk将近 3 年前

It’s very cool, but every update of mac OS resets it! After a while I didn’t bother to reactivate it…Is there a permanent solution, that does not involve cron scripts or other hacks?

评论 #31750738 未加载

评论 #31750829 未加载

评论 #31750749 未加载

duplabe将近 3 年前

I think it's a much better guide with iterm support: <a href="https://austencam.com/posts/using-touchid-with-sudo-in-terminal-or-iterm" rel="nofollow">https://austencam.com/posts/using-touchid-with-sudo-in-termi...</a>

评论 #31751358 未加载

corderop将近 3 年前

Am I the only one that things I write my password faster than putting my finger in the Touch ID?

评论 #31755403 未加载

评论 #31752415 未加载

haunter将近 3 年前

This is what I'm trying to do but under Windows and Debian + preferably with a mechanical keyboard. Well the mechanical keyboard w/ fingerprint reader is the bigger ask cause there aren't many choices. There is a decently good one with Cherry MX switches from Taiwan but pretty much impossible to order one to Europe (they sell their other keyboards but not the one with fingerprint reader) <a href="https://www.i-rocks.com/web/product/product_in.jsp?pd_no=PD1550820469030&lang=en" rel="nofollow">https://www.i-rocks.com/web/product/product_in.jsp?pd_no=PD1...</a>

评论 #31751053 未加载

评论 #31752767 未加载

urbandw311er将近 3 年前

Am I the only one who actually finds it faster to type a password than to remove my hand from the keyboard and perform Touch ID auth?

评论 #31750858 未加载

评论 #31751722 未加载

评论 #31750899 未加载

评论 #31750991 未加载

dt2m将近 3 年前

For whatever reason, this resulted in me being prompted to first type my password, then also authenticate with Touch ID.

评论 #31750727 未加载

mshockwave将近 3 年前

I tried this a couple of years ago but it would be reset after every system upgrades. Is it still a case now?

eatmyshorts将近 3 年前

Is there any way to do this as a 2nd factor, so that both my password and my fingerprint are needed for sudo?

4ad将近 3 年前

Unfortunately, this resets after every macOS update, which is very frustrating, and also absolutely ridiculous.

woodruffw将近 3 年前

If you're like me and you got the order wrong, this will completely break your PAM configuration. To fix it, I had to temporarily enable the actual root user[1].[1]: <a href="https://superuser.com/a/1357253" rel="nofollow">https://superuser.com/a/1357253</a>

jdthedisciple将近 3 年前

Surely very convenient but idk, I still feel a li'l icky using my fingerprint for authorization. What if one day the fingerprint sensor acts up a little, as can always happen with such sensitive hardware? Then you 're just completely screwed?

评论 #31751259 未加载

ggm将近 3 年前

Not lead pipe safe, don't think touch ID cares if your hand is attached to your body.might still do it.

评论 #31750703 未加载

评论 #31750956 未加载

评论 #31750659 未加载

评论 #31750732 未加载

评论 #31750676 未加载

wrexx0r将近 3 年前

So I've run into issues with this in the past, which seems to relate to using DisplayLink. Seems to be in how MacOS treats the DisplayLink driver, and can't be fixed unless Apple makes some changes in the OS level

CalRobert将近 3 年前

Fingerprints are usernames, not passwords -related discussion (from 2013!) <a href="https://news.ycombinator.com/item?id=6477505" rel="nofollow">https://news.ycombinator.com/item?id=6477505</a>

评论 #31755309 未加载

vhiremath4将近 3 年前

Call me old fashion, but I love the feel of entering my sudo pw. It’s the rumbling to my v8 engine. I mean M1 Mac.

saxonww将近 3 年前

I've tried this multiple times over the years and it doesn't seem to work, at least not with tmux.

评论 #31755857 未加载

obert将近 3 年前

1Password forces users to enter the master password at least every 2 weeks, super annoying and insecure. Eg my master password is super hard to enter, even more on smartphones, so I’m considering moving to a less secure one to avoid the PITA. All this technical innovation with Touch Id is great but then companies keep reverting to old annoying approaches when facing innovation…

评论 #31750811 未加载

评论 #31751010 未加载

likecarter将近 3 年前

Shortcut:echo 'auth sufficient pam_tid.so' | sudo tee -a /etc/pam.d/sudo

nimbius将近 3 年前

reminder: biometrics are not protected by the fifth amendment. use strong passphrases.<a href="https://www.eff.org/dice" rel="nofollow">https://www.eff.org/dice</a>

cbxyp将近 3 年前

idk if the pam module used to be around but i remember building a modified sudo binary to accomplish this on my MBP pro a few years ago.

ddlsmurf将近 3 年前

Doesn't this block ssh (headless) access ?

评论 #31750870 未加载

dingleberry420将近 3 年前

Title should mention "mac tip"

评论 #31752531 未加载