A PAM module, written in Swift, for Apple Watch and Touch ID authenticating using:
kLAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatchfrom macOS 10.15 to macOS 14; orkLAPolicyDeviceOwnerAuthenticationWithBiometricsOrCompanionin macOS 15 or later
- The most up to date version of either Xcode or the Xcode command line tools (CLT) for your version of macOS. This includes all of the tools needed to build the module, including
swiftc,make, andgit. If you do not yet have either installed, you should be prompted automatically to install teh CLT when you first try to follow the install instructions. You can also install the CLT manually with the following command:
xcode-select --install/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/mostpinkest/pam-watchid/HEAD/install.sh)" -- enableNote
If you are using macOS Sonoma or later and have already modified sudo_local, ensure the file still contains the original auth sufficient pam_tid.so line, with or without the comment at the start. The enable script uses this to "anchor" where the pam_watchid.so line will be inserted. If the line isn't present, no changes will be made.
The module is available from nixpkgs as pam-watchid and can be enabled using nix-darwin's security.pam.services.sudo_local.watchIdAuth
- Run inside a cloned copy of the repo:
make install- Modify the sudo pam config to include the
pam_watchid.somodule. Using the following line, follow the steps according to your version of macOS.
auth sufficient pam_watchid.so
- On macOS 14 and later: Create/edit
/etc/pam.d/sudo_localto include it in the list of modules, in order of execution. If you are unsure of the order, place it on the first line. - On macOS 13 and earlier: Edit
/etc/pam.d/sudoto include it as the first line.
Important
Note that you might have other auth statements, don't remove them.