• Got an Apple Watch? Got a Mac? Got Sudo?

    From Lewis@g.kreme@kreme.dont-email.me to comp.sys.mac.system on Friday, November 20, 2020 16:30:34
    From Newsgroup: comp.sys.mac.system

    use your watch to authorize sudo:
    <https://github.com/biscuitehh/pam-watchid>

    works a treat, minimal command-line fu needed.

    git clone https://github.com/biscuitehh/pam-watchid
    cd pam-watchid
    more README.md

    --
    Anyhoo, they hung me. Fen out bitches.
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Jolly Roger@jollyroger@pobox.com to comp.sys.mac.system on Friday, November 20, 2020 17:04:19
    From Newsgroup: comp.sys.mac.system

    Lewis <g.kreme@kreme.dont-email.me> wrote:
    use your watch to authorize sudo:
    <https://github.com/biscuitehh/pam-watchid>

    works a treat, minimal command-line fu needed.

    git clone https://github.com/biscuitehh/pam-watchid
    cd pam-watchid
    more README.md

    Nice. Thanks.

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Alan Browne@bitbucket@blackhole.com to comp.sys.mac.system on Friday, November 20, 2020 12:19:32
    From Newsgroup: comp.sys.mac.system

    On 2020-11-20 11:30, Lewis wrote:
    use your watch to authorize sudo:
    <https://github.com/biscuitehh/pam-watchid>

    works a treat, minimal command-line fu needed.

    git clone https://github.com/biscuitehh/pam-watchid
    cd pam-watchid
    more README.md

    Neat. I don't have an Apple watch, alas, and my SO thinks sudo is
    martial arts practiced by people who lisp.

    The premise is what? Your watch gets auth from your iPhone which is
    auth'd by fingerprint or FaceID?

    --
    "...there are many humorous things in this world; among them the white
    man's notion that he is less savage than the other savages."
    -Samuel Clemens
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Lewis@g.kreme@kreme.dont-email.me to comp.sys.mac.system on Friday, November 20, 2020 17:37:01
    From Newsgroup: comp.sys.mac.system

    In message <FUStH.4406$5J3.1824@fx09.iad> Alan Browne <bitbucket@blackhole.com> wrote:
    On 2020-11-20 11:30, Lewis wrote:
    use your watch to authorize sudo:
    <https://github.com/biscuitehh/pam-watchid>

    works a treat, minimal command-line fu needed.

    git clone https://github.com/biscuitehh/pam-watchid
    cd pam-watchid
    more README.md

    Neat. I don't have an Apple watch, alas, and my SO thinks sudo is
    martial arts practiced by people who lisp.

    The premise is what? Your watch gets auth from your iPhone which is
    auth'd by fingerprint or FaceID?

    If you have an Apple Watch many authorizations from you mac can be
    confirmed by tapping oyur watch's side button instead of typing in your password. Things like unlocking System preferences, deleting apps from
    the Application folder, etc.

    This adds invoking sudo from the command line to that list.

    (If you have a touchID Mac, there is a similar process to enable sudo on
    those, but it does not require downloading anything, simply editing the /etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
    into it.)


    --
    YOU [humans] NEED TO BELIEVE IN THINGS THAT AREN'T TRUE. HOW ELSE CAN
    THEY BECOME? --Hogfather
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Jolly Roger@jollyroger@pobox.com to comp.sys.mac.system on Friday, November 20, 2020 18:13:48
    From Newsgroup: comp.sys.mac.system

    On 2020-11-20, Lewis <g.kreme@kreme.dont-email.me> wrote:

    If you have an Apple Watch many authorizations from you mac can be
    confirmed by tapping oyur watch's side button instead of typing in
    your password. Things like unlocking System preferences, deleting apps
    from the Application folder, etc.

    This adds invoking sudo from the command line to that list.

    I just installed it and added this line to /etc/pam.d/sudo:

    auth sufficient pam_watchid.so "reason=execute a command as root"

    I'm still seeing the password prompt, even in new shells.

    Hmmm... Is a service/computer restart required?

    (If you have a touchID Mac, there is a similar process to enable sudo on those, but it does not require downloading anything, simply editing the /etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
    into it.)

    From what I've read, adding this line enables Touch ID for sudo
    operations:

    auth sufficient pam_tid.so

    I haven't tried this yet on my MacBook Pro.

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Jolly Roger@jollyroger@pobox.com to comp.sys.mac.system on Friday, November 20, 2020 18:39:49
    From Newsgroup: comp.sys.mac.system

    On 2020-11-20, Jolly Roger <jollyroger@pobox.com> wrote:
    On 2020-11-20, Lewis <g.kreme@kreme.dont-email.me> wrote:

    If you have an Apple Watch many authorizations from you mac can be
    confirmed by tapping oyur watch's side button instead of typing in
    your password. Things like unlocking System preferences, deleting apps
    from the Application folder, etc.

    This adds invoking sudo from the command line to that list.

    I just installed it and added this line to /etc/pam.d/sudo:

    auth sufficient pam_watchid.so "reason=execute a command as root"

    I'm still seeing the password prompt, even in new shells.

    Scratch that. Forgot to unlock my watch after putting it on for testing.
    Silly me... : D

    Hmmm... Is a service/computer restart required?

    (If you have a touchID Mac, there is a similar process to enable sudo on
    those, but it does not require downloading anything, simply editing the
    /etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
    into it.)

    From what I've read, adding this line enables Touch ID for sudo
    operations:

    auth sufficient pam_tid.so

    I haven't tried this yet on my MacBook Pro.

    Tries it. Works great.

    Thanks again, Lewis. : )

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Lewis@g.kreme@kreme.dont-email.me to comp.sys.mac.system on Friday, November 20, 2020 21:35:17
    From Newsgroup: comp.sys.mac.system

    In message <i1qfasFoiokU1@mid.individual.net> Jolly Roger <jollyroger@pobox.com> wrote:
    On 2020-11-20, Lewis <g.kreme@kreme.dont-email.me> wrote:

    If you have an Apple Watch many authorizations from you mac can be
    confirmed by tapping oyur watch's side button instead of typing in
    your password. Things like unlocking System preferences, deleting apps
    from the Application folder, etc.

    This adds invoking sudo from the command line to that list.

    I just installed it and added this line to /etc/pam.d/sudo:

    auth sufficient pam_watchid.so "reason=execute a command as root"

    The quoted part is just for the logs, I don't think it's required.

    I'm still seeing the password prompt, even in new shells.

    Hmmm... Is a service/computer restart required?

    I don't think so, but I did reboot after that because I installed some
    Rogue Amoeba app and that required a restart, so maybe?

    (If you have a touchID Mac, there is a similar process to enable sudo on
    those, but it does not require downloading anything, simply editing the
    /etc/pam/sudo file, IIRC. I don't have a touchID mac, so I've not looked
    into it.)

    From what I've read, adding this line enables Touch ID for sudo
    operations:

    auth sufficient pam_tid.so

    I haven't tried this yet on my MacBook Pro.

    Yes, that looks right. I am unlikely to have a new MBP with touchID
    anytime soon, however.


    --
    Windle shook his head sadly. Five exclamation marks, the sure sign of
    an insane mind. --Reaper Man
    --- Synchronet 3.18b-Win32 NewsLink 1.113