Sudo with auth sufficient pam_tid.so does not work with tmux
I did not really like the idea of installing some third-party sudo tool, so instead of using sudo-touchid I decided to use the /etc/pam.d/sudo trick and it works wonders. I use iTerm2 with zsh, and with that setup it works correctly. But when I use tmux (with reattach-to-user-namespace default command) sudo always asks for a password. Does anyone know how to solve this?
I experienced the same issues. Surprisingly, Touch ID does work in Apple's GNU screen distribution and after looking at its implementation, it seems like screen attaches to the user's per-session namespace instead of the per-user namespace.
The following patches port this approach to tmux and reattach-to-user-namespace and fix the issue for me:
- https://github.com/ChrisJohnsen/tmux-MacOSX-pasteboard/pull/70
- https://github.com/tmux/tmux/pull/1434
EDIT: Since these patches caused some technical issues (as explained in the pull request), I instead solved the problem using a custom PAM module to reattach to the user's per-session namespace before running the pam_tid module: https://github.com/fabianishere/pam_reattach
brew install fabianishere/personal/pam_reattach
Then use this sudo wrapper to automatically add the necessary config (needed because macOS resets the config on updates)(beware that if this corrupts your settings you’ll be in a rough patch, so perhaps just manually editing the file and verifying it immediately might be better):
sudo () {
unset -f sudo
if [[ "$(uname)" == 'Darwin' ]]
then
if ! command grep 'pam_tid.so' /etc/pam.d/sudo --silent
then
command sudo sed -i -e '1s;^;auth sufficient pam_tid.so\n;' /etc/pam.d/sudo
fi
if ! command grep 'pam_reattach.so' /etc/pam.d/sudo --silent
then
command sudo sed -i -e '1s;^;auth optional pam_reattach.so\n;' /etc/pam.d/sudo
fi
fi
command sudo "$@"
}