Tip Catalina : validate the sudo commands in the terminal with a Apple Watch

With macOS Catalina, the Apple Watch can replace the password of your session in even more boxes than before. The watch can still be used to unlock the Mac, but it can also unlock the system preferences, and even be used in apps, like password managers. Everywhere where Touch ID could be used on a Mac equipped with the fingerprint sensor, the Apple Watch can take over.

Everywhere, including in the terminal, where, by modifying a system file, we could use Touch ID for commands that require sudo and so the session password ? Yes, but the procedure is no longer as easy as before, it is necessary to compile an additional tool, in addition to the modification of the file system. However, this should not scare you if you use the terminal of macOS on a daily basis and it works extremely well.

The command sudo is used in the terminal sends a request to the Apple Watch as an alternative to the password. In the bottom right, here is what the displays and simply click twice on the side button to confirm.

Here is the procedure to follow to allow the commands sudo on your Mac in the terminal of macOS Catalina :

  • Clone the project PAM WatchID : git clone https://github.com/biscuitehh/pam-watchid.git ;

  • Open the folder and compile the app : cd pam-watchid && sudo make install ;

  • Edit the system file /etc/pam.d/sudo with the admin rights : sudo nano /etc/pam.d/sudo ;

  • Add it to the top of the file this extra line, without deleting the rest of the content : auth sufficient pam_watchid.so "reason=execute a command as root" ;

  • Save the changes with ctrlX and then the Y button and open a new terminal session to confirm that it works.

Recall that this function is not as secure as Touch ID, a goal that Apple has provided several safeguards to prevent abuse. The watch will not validate a transaction if it is in close proximity to the Mac, and that if it is unlocked, that is to say, worn on the wrist continuously since the last entry of the code or since the last unlocking of the iPhone combined according to your settings. If you are away from your computer, or if you remove the watch from your wrist, the function will be automatically disabled.

Experience The World