From Newsgroup: comp.sys.mac.system

use your watch to authorize sudo:
<https://github.com/biscuitehh/pam-watchid>

works a treat, minimal command-line fu needed.

git clone https://github.com/biscuitehh/pam-watchid
cd pam-watchid
more README.md

--
Anyhoo, they hung me. Fen out bitches.
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Lewis <g.kreme@kreme.dont-email.me> wrote:

use your watch to authorize sudo:
<https://github.com/biscuitehh/pam-watchid>

works a treat, minimal command-line fu needed.

git clone https://github.com/biscuitehh/pam-watchid
cd pam-watchid
more README.md

Nice. Thanks.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

On 2020-11-20 11:30, Lewis wrote:

use your watch to authorize sudo:
<https://github.com/biscuitehh/pam-watchid>

works a treat, minimal command-line fu needed.

git clone https://github.com/biscuitehh/pam-watchid
cd pam-watchid
more README.md

Neat. I don't have an Apple watch, alas, and my SO thinks sudo is
martial arts practiced by people who lisp.

The premise is what? Your watch gets auth from your iPhone which is
auth'd by fingerprint or FaceID?

--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

In message <FUStH.4406$5J3.1824@fx09.iad> Alan Browne <bitbucket@blackhole.com> wrote:

On 2020-11-20 11:30, Lewis wrote:

use your watch to authorize sudo:
<https://github.com/biscuitehh/pam-watchid>

works a treat, minimal command-line fu needed.

git clone https://github.com/biscuitehh/pam-watchid
cd pam-watchid
more README.md

Neat. I don't have an Apple watch, alas, and my SO thinks sudo is
martial arts practiced by people who lisp.

The premise is what? Your watch gets auth from your iPhone which is
auth'd by fingerprint or FaceID?

If you have an Apple Watch many authorizations from you mac can be
confirmed by tapping oyur watch's side button instead of typing in your password. Things like unlocking System preferences, deleting apps from
the Application folder, etc.

This adds invoking sudo from the command line to that list.

(If you have a touchID Mac, there is a similar process to enable sudo on
those, but it does not require downloading anything, simply editing the /etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
into it.)


--
YOU [humans] NEED TO BELIEVE IN THINGS THAT AREN'T TRUE. HOW ELSE CAN
THEY BECOME? --Hogfather
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

On 2020-11-20, Lewis <g.kreme@kreme.dont-email.me> wrote:

If you have an Apple Watch many authorizations from you mac can be
confirmed by tapping oyur watch's side button instead of typing in
your password. Things like unlocking System preferences, deleting apps
from the Application folder, etc.

This adds invoking sudo from the command line to that list.

I just installed it and added this line to /etc/pam.d/sudo:

auth sufficient pam_watchid.so "reason=execute a command as root"

I'm still seeing the password prompt, even in new shells.

Hmmm... Is a service/computer restart required?

(If you have a touchID Mac, there is a similar process to enable sudo on those, but it does not require downloading anything, simply editing the /etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
into it.)

From what I've read, adding this line enables Touch ID for sudo
operations:

auth sufficient pam_tid.so

I haven't tried this yet on my MacBook Pro.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

On 2020-11-20, Jolly Roger <jollyroger@pobox.com> wrote:

On 2020-11-20, Lewis <g.kreme@kreme.dont-email.me> wrote:

If you have an Apple Watch many authorizations from you mac can be
confirmed by tapping oyur watch's side button instead of typing in
your password. Things like unlocking System preferences, deleting apps
from the Application folder, etc.

This adds invoking sudo from the command line to that list.

I just installed it and added this line to /etc/pam.d/sudo:

auth sufficient pam_watchid.so "reason=execute a command as root"

I'm still seeing the password prompt, even in new shells.

Scratch that. Forgot to unlock my watch after putting it on for testing.
Silly me... : D

Hmmm... Is a service/computer restart required?

(If you have a touchID Mac, there is a similar process to enable sudo on
those, but it does not require downloading anything, simply editing the
/etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
into it.)

From what I've read, adding this line enables Touch ID for sudo
operations:

auth sufficient pam_tid.so

I haven't tried this yet on my MacBook Pro.

Tries it. Works great.

Thanks again, Lewis. : )

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

In message <i1qfasFoiokU1@mid.individual.net> Jolly Roger <jollyroger@pobox.com> wrote:

On 2020-11-20, Lewis <g.kreme@kreme.dont-email.me> wrote:

If you have an Apple Watch many authorizations from you mac can be
confirmed by tapping oyur watch's side button instead of typing in
your password. Things like unlocking System preferences, deleting apps
from the Application folder, etc.

This adds invoking sudo from the command line to that list.

I just installed it and added this line to /etc/pam.d/sudo:

auth sufficient pam_watchid.so "reason=execute a command as root"

The quoted part is just for the logs, I don't think it's required.

I'm still seeing the password prompt, even in new shells.

Hmmm... Is a service/computer restart required?

I don't think so, but I did reboot after that because I installed some
Rogue Amoeba app and that required a restart, so maybe?

(If you have a touchID Mac, there is a similar process to enable sudo on
those, but it does not require downloading anything, simply editing the
/etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
into it.)

From what I've read, adding this line enables Touch ID for sudo
operations:

auth sufficient pam_tid.so

I haven't tried this yet on my MacBook Pro.

Yes, that looks right. I am unlikely to have a new MBP with touchID
anytime soon, however.


--
Windle shook his head sadly. Five exclamation marks, the sure sign of
an insane mind. --Reaper Man
--- Synchronet 3.18b-Win32 NewsLink 1.113