Configuring MacOS to Use Apple Watch or Touch ID for MFA With Sudo
This article will walk through using your password and touch ID/Apple Watch authentication to ensure multi factor authentication is required on all
sudo events. This will make your setup a bit more resilient to a remote attacker with a shell needing to elevate privileges with
Password + Touch ID or Apple Watch PAM Configuration:
The PAM module is included in MacOS for your Mac to use Touch ID or your Apple Watch. However, it will not work if your Macbook’s lid is closed (read below for my workaround to that issue).
/etc/pam.d/sudo like so:
# sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so auth required pam_tid.so account required pam_permit.so password required pam_deny.so session required pam_permit.so
This configuration will require both a password and Touch ID/Apple Watch confirmation to run any
The pam_tid Module Does Not Work With a Macbook’s Lid Closed:
I have discovered that
pam_tid.so does not work at all unless your laptop lid is open (even if you are using an Apple Watch). To work around this I use a third party pam_watchid PAM module. At the time of writing we need to use a fork of pam_watchid which supports Apple Silicon and Intel Macs.
git clone https://github.com/msanders/pam-watchid /tmp/pam-watchid cd /tmp/pam-watchid make install
# sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so auth sufficient pam_watchid.so auth required pam_tid.so account required pam_permit.so password required pam_deny.so session required pam_permit.so
This will configure PAM to use
MacOS Updates Will Reset Your PAM Changes:
MacOS will wipe out custom PAM config changes after updates. This is a trivial issue to bypass if you just write a script that installs the Apple Watch PAM module and updates the PAM config for you. MacOS updates infrequently enough that I haven’t had a strong desire/need to do this yet.
I found this Stack Exchange post really useful on understanding how PAM’s logic is implemented between