RSS

Mac-sudo-touchid: When coding agents sudo, use touch ID instead of password

gyush1 pts0 comments

GitHub - Divide-By-0/macos-sudo-touchid: Use touch id instead of your password for sudo on macos · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Divide-By-0

macos-sudo-touchid

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>1 Commit<br>1 Commit

.gitignore

.gitignore

LICENSE

LICENSE

Makefile

Makefile

README.md

README.md

install.sh

install.sh

sudo-touchid-fix

sudo-touchid-fix

tsudo

tsudo

View all files

Repository files navigation

macos-sudo-touchid

Small macOS utility for enabling Touch ID with sudo, including the session and screen-observation fixes that commonly make sudo fall back to password-only prompts.

One-Line Install And Enable

This installs sudo-touchid-fix and tsudo, enables Touch ID for sudo, installs pam-reattach with Homebrew if needed, and applies the current-user ignoreArd workaround:

curl -fsSL https://raw.githubusercontent.com/Divide-By-0/macos-sudo-touchid/main/install.sh | bash -s -- --enable --install-reattach

Then test a fresh sudo authentication:

sudo-touchid-fix test

Why The ignoreArd Workaround Is Included

macOS can suppress Touch ID, Apple Watch, and smartcard authentication when it thinks the screen is being watched, recorded, mirrored, or remotely accessible. When that happens, pam_tid.so is configured correctly but the sudo prompt still falls back to password only.

This utility runs the current-user workaround by default:

defaults write com.apple.security.authorization ignoreArd -bool TRUE

That setting is required on some machines for Touch ID sudo to work while screen sharing, screen recording, Chrome Remote Desktop, DisplayLink-like display paths, or similar observation paths are active. It is a security tradeoff because it allows biometric authorization even when macOS thinks the screen is observed.

To opt out:

sudo-touchid-fix enable --no-ignore-ard

To remove the setting later:

sudo-touchid-fix disable-ignore-ard

Commands

sudo-touchid-fix status<br>sudo-touchid-fix enable --install-reattach<br>sudo-touchid-fix test<br>sudo-touchid-fix disable-ignore-ard

enable updates /etc/pam.d/sudo_local, keeping a timestamped backup next to it. On Apple Silicon, pam-reattach is added before pam_tid.so when available:

auth optional /opt/homebrew/lib/pam/pam_reattach.so ignore_ssh<br>auth sufficient pam_tid.so

Showing The Command Before Touch ID

macOS controls the Touch ID authorization sheet, so this utility cannot put the exact sudo command inside the biometric popup itself.

Use tsudo when you want the command displayed immediately before authentication and in the password fallback prompt:

tsudo launchctl kickstart -k system/com.example.service

It prints:

sudo approving: launchctl kickstart -k system/com.example.service

Then it runs the command through sudo.

Manual Install

git clone https://github.com/Divide-By-0/macos-sudo-touchid.git<br>cd macos-sudo-touchid<br>make install<br>sudo-touchid-fix enable --install-reattach

Requirements

macOS Sonoma or newer is recommended.

Touch ID must be enabled for the current user.

Homebrew is only needed for --install-reattach.

About

Use touch id instead of your password for sudo on macos

Resources

Readme

License

MIT license

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

stars

Watchers

watching

Forks

forks

Report repository

Releases

No releases published

Packages

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

Shell<br>97.3%

Makefile<br>2.7%

You can’t perform that action at this time.

sudo touchid macos touch install password

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.