6

I did not really like the idea of installing some third-party sudo tool, so instead of using sudo-touchid I decided to use the /etc/pam.d/sudo trick and it works wonders. I use iTerm2 with zsh, and with that setup it works correctly. But when I use tmux (with reattach-to-user-namespace default command) sudo always asks for a password. Does anyone know how to solve this?

Improve this question
5
  • What is /etc/pam.d/sudo trick ?
    – Alex
    Commented Jul 24, 2018 at 16:50
  • Adding auth sufficient pam_tid.so to the top of /etc/pam.d/sudo.
    – RomaValcer
    Commented Jul 24, 2018 at 17:53
  • 1
    @Alex apple.stackexchange.com/a/306324/263848
    – user7886229
    Commented Jul 25, 2018 at 16:36
  • @JBis Thank you for the link, actually I know this "trick", I just tried to give a clue to OP to update his question to avoid been downvoted for low quality question and use more descriptive steps instead of using word "tricks" which is kinda punishable on this site.
    – Alex
    Commented Jul 25, 2018 at 20:59
  • 1
    @Alex Ah. Maybe it'll help someone else.
    – user7886229
    Commented Jul 25, 2018 at 21:00

3 Answers 3

Reset to default
11

I experienced the same issues. Surprisingly, Touch ID does work in Apple's GNU screen distribution and after looking at its implementation, it seems like screen attaches to the user's per-session namespace instead of the per-user namespace.

The following patches port this approach to tmux and reattach-to-user-namespace and fix the issue for me:

  1. https://github.com/ChrisJohnsen/tmux-MacOSX-pasteboard/pull/70
  2. https://github.com/tmux/tmux/pull/1434

EDIT: Since these patches caused some technical issues (as explained in the pull request), I instead solved the problem using a custom PAM module to reattach to the user's per-session namespace before running the pam_tid module: https://github.com/fabianishere/pam_reattach

Improve this answer
1
  • 1
    I can attest that pam_reattach is a great solution and it can even be installed via brew so you can track the changes you've made to your system more easily.
    – dragon788
    Commented Nov 18, 2019 at 16:59
2 
brew install pam-reattach

Then use this sudo wrapper to automatically add the necessary config (needed because macOS resets the config on updates)(beware that if this corrupts your settings you’ll be in a rough patch, so perhaps just manually editing the file and verifying it immediately might be better):

sudo () {
    unset -f sudo
    if [[ "$(uname)" == 'Darwin' ]]
    then
        if ! command grep 'pam_tid.so' /etc/pam.d/sudo --silent
        then
            command sudo sed -i -e '1s;^;auth       sufficient     pam_tid.so\n;' /etc/pam.d/sudo
        fi
        if ! command grep 'pam_reattach.so' /etc/pam.d/sudo --silent
        then
            command sudo sed -i -e '1s;^;auth     optional     pam_reattach.so\n;' /etc/pam.d/sudo
        fi
    fi
    command sudo "$@"
}
Improve this answer
1
0

The solution is to use the pam_reattach module from https://github.com/fabianishere/pam_reattach/tree/master as described in earlier answers.

    brew install pam_reattach

The one caveat is that in this day of M1+ Macs, brew installs the module in /opt/homebrew/lib/pam/ instead of the default location of /usr/lib/pam. So the entries in /etc/pam.d/sudo need to include the full path to pam_reattach.so:

auth       optional       /opt/homebrew/lib/pam/pam_reattach.so
auth       sufficient     pam_tid.so

If you don't have the correct path to pam_reattach.so it is possible to get locked out of sudo. If that does happen, the trick is to open /etc/pam.d via Finder - open /etc/pam.d - click the lock icon and then temporarily allow edit permissions to /etc/pam.d/sudo so that any errors can be fixed.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .