security.pam.services.sudo_local.touchIdAuth not working

[khsoh]

Hi, this does not seem to be working. I noticed that in /usr/lib/pam folder, the file available is pam_tid.so.2 - is that the root cause of the problem?

[b3nk3]

Edit: my workaround: security.pam.services.sudo_local.text = "auth sufficient pam_tid.so.2";

I'm facing the same issue here. In my pam folder all files have a .2 but the code only targets pam_tid.so etc

https://github.com/LnL7/nix-darwin/blob/master/modules/security/pam.nix#L66

[Enzime]

I only have pam_*.so.2 files in /usr/lib/pam as well, so I don't think that's the issue

Can you try darwin-rebuild switch again?

[khsoh]

I tried darwin-rebuild switch again. Still not working. When sudo is executed, the dialog box that pops up still requests for password - not touch ID nor apple watch.

[emilazy]

What macOS version are you running and what kind of Mac? Can you show the contents of /etc/pam.d/sudo and /etc/pam.d/sudo_local?

[khsoh]

macOS 15.3.1
MacBook Pro 13-inch M1 2020

/etc/pam.d/sudo:

# sudo: auth account password session
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

/etc/pam.d/sudo_local:

auth       optional       /nix/store/mhg3zwcnagbz388df2rk6pljaf411cv9-pam_reattach-1.3/lib/pam/pam_reattach.so
auth       sufficient     pam_tid.so
auth       sufficient     /nix/store/7b5398s3j7xj6jnlfinb9f4hsxd5a5jh-pam-watchid-2-unstable-2024-12-24/lib/pam_watchid.so

my snippet from configuration.nix:

  security.pam.services.sudo_local = {
    enable = true;
    reattach = true;
    touchIdAuth = true;
    watchIdAuth = true;
  };

[emilazy]

If you disable reattach and watchIdAuth, does it work? I’m wondering if those might somehow be the problem instead.

[khsoh]

I tried disabling 'reattach' and 'watchIdAuth', then restarted the MacBook. Did not work.