Reattach to the user's GUI session on macOS during authentication (for Touch ID support in tmux).
This is a PAM module for reattaching to the authenticating user's per-session bootstrap namespace on macOS. This allows users to make use of the
pam_tid module (Touch ID) from within tmux.Purpose
Although in MacOS a user program may survive in the background across login sessions, several services (mostly related to the GUI, such as pasteboard and Touch ID) are strictly tied to the login session of a user and as such unavailable for programs in the background session. Users of programs such as tmux and GNU Screen that run in the background to survive across login sessions, will thus find that several services such as Touch ID are unavailable or do not work properly.
This PAM module will attempt to move the current program (e.g.
sudo) to the current active login session, after which the remaining PAM modules will have access to the per-session services like Touch ID.
If you have installed the additional
reattach-to-session-namespace(8) program, you may also execute arbitrary programs from the background in the login session of the user.
See TN2083 for more details about bootstrap namespaces in MacOS.
Usage
This module should be invoked before the module that you want to put in the authenticating user's per-session bootstrap namespace. The module runs in the authentication phase and should be marked as either
optional or required (I suggest using optional to prevent getting locked out in case of bugs)
Modify the targeted service in
/etc/pam.d/ (such as /etc/pam.d/sudo) as explained:auth optional pam_reattach.so
auth sufficient pam_tid.so
...
Make sure you have the module installed. For further information, see
reattach_aqua(3), pam_reattach(8) and reattach-to-session-namespace(8).Installation
The module is available in my personal Homebrew repository. Use the following command to install it:
$ brew install fabianishere/personal/pam_reattach
Building
Alternatively, you may manually build the module. The module is built using CMake 3. Enter the following commands into your command prompt in the directory in which you intend to build the module:
$ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX:PATH=/usr/local <PATH-TO-SOURCE>
$ make
Manual Installation
Then, to install the module, simply run the following command:
$ make install
Make sure you keep the generated
install_manifest.txt file in the build folder after installation.Manual Removal
Run the following command in your command prompt to remove the installation from your system:
$ xargs rm < install_manifest.txt
In case you lost
install_manifest.txt, this is the list of files that are installed:/usr/local/lib/libreattach.a
/usr/local/include/reattach.h
/usr/local/share/man/man3/reattach_aqua.3
/usr/local/lib/pam/pam_reattach.so
/usr/local/share/man/man8/pam_reattach.8
/usr/local/bin/reattach-to-session-namespace
/usr/local/share/man/man8/reattach-to-session-namespace.8
Additional Tools
Additionally, you may build a
reattach-to-session-namespace command line utility by specifying the -DENABLE_CLI=ON option when calling CMake. This command allows you to reattach to the user's session namespace from the command line.
See
reattach-to-session-namespace(8) for more information.Enabling Touch ID for sudo
To enable Touch ID authorization for
sudo, please see this article.
---------------------------------------------------------------------------
Enabling Touch ID authorization for sudo on macOS High Sierra
have a Touch Bar with Touch ID? If you edit /etc/pam.d/sudo and add the following line to the top…
auth sufficient pam_tid.so
auth sufficient pam_tid.so
you can now use your fingerprint to sudo!
I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.
Before proceeding further, I want to emphasize that you can cause yourself a lot of problems by changing sudo authorization methods incorrectly. I assume no responsibility and bear no culpability if sudo or anything else breaks as a result of anything you implement as a result of reading this post.
With that understood, please see below for how to add Touch ID to the list of sudo‘s accepted authorization methods:
1. Make a backup copy of the following file:
1
| /etc/pam.d/sudo |
2. Edit the following file using root privileges:
1
| /etc/pam.d/sudo |
3. Add the following line in the indicated location:
1
| auth sufficient pam_tid.so |
4. Save your changes.
Once your changes have been saved, try using sudo to authorize something. In this example, I’m using the following command:
1
| sudo date |
With Touch ID authorization enabled for sudo, you should see the following dialog box appear.
Once you’ve used Touch ID to authorize sudo, the command should run without requesting your account password.
Something to be aware of is that Cabel Sasser included a follow-up caveat:
(Important caveat/warning: if you SSH into that machine, you will NOT be able to sudo, as your fingerprint cannot travel through SSH.)
58 people are talking about this
When I looked into it, it appears that this caveat is Touch ID-specific, because you can still authorize sudo using your account’s password.
No comments:
Post a Comment