This directory contains two subdirectories: touchid and watchid, each with their own PAM plugins for authentication using biometric information on macOS for sudo and su.

TL;DR: Build and install both plugins with the following commands:

./install.sh all

——— or ———

make all
sudo make install
sudo make install_pam

To build both plugins (touchid and watchid) at once, follow these steps:

1. Run the following command: $ make all

   This command will build the PAM plugins in both subdirectories simultaneously.

2. Run the following command: $ sudo make install

   This command will install the PAM plugins in both subdirectories simultaneously, i.e. copy them to /usr/local/lib/pam.

3. Run the following command: $ sudo make install_pam

   This command will add the necessary PAM configuration to /etc/pam.d/sudo and /etc/pam.d/su to enable the PAM plugins in both subdirectories simultaneously.

To build a single plugin, append the name of the plugin to the make commands above.

./install.sh touchid

——— or ———

make touchid
sudo make install_touchid
sudo make install_pam_touchid

./install.sh watchid

——— or ———

make watchid
sudo make install_watchid
sudo make install_pam_watchid

To uninstall a plugin, remove the corresponding PAM configuration from /etc/pam.d/sudo and /etc/pam.d/su (e.g. via sudo -e /etc/pam.d/su[do]), and remove the .so plugin from /usr/local/lib/pam.

This can be done automatically by running the following command:

./uninstall.sh [all|touchid|watchid]

This repository contains these two PAM plugins for macOS:

A PAM plugin for authenticating using biometric information (Touch ID) written in Swift.

Based on Reflejo/pam-touchID.

A PAM plugin for authenticating using the new kLAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch API in macOS 10.15, written in Swift.

Based on biscuitehh/pam-watchid.