Use TouchID to Authenticate Sudo on macOS

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

InfluxDB - Purpose built for real-time analytics at any scale.
InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • secretive

    Store SSH keys in the Secure Enclave

    Not exactly connected but the same crowd interested in this topic may also be interested in this tool to store SSH private keys in the Secure Enclave, kind of like what can be done with a YubiKey:

    https://github.com/maxgoedjen/secretive

    I've been looking for something like this for 3-4 years but only found it six months ago (in an HN thread). I use separate keys for every use case, and now know every time a key is used for any purpose, whether it's connecting to source control or my text editor is connecting to a remote VM.

    Only thing I haven't figured out is how to do git signatures with these sorts of keys, but I haven't debugged it at all.

  • InfluxDB

    Purpose built for real-time analytics at any scale. InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.

    InfluxDB logo
  • openssh-sk-winhello

    A helper for OpenSSH to interact with FIDO2 and U2F security keys through native Windows Hello API

    For Windows, it seems it's possible[0, see footnote], however there are problems like general incompatibilities [1], and official support status is " We have this in our backlog. At this point it's not prioritized.".

    0: https://github.com/tavrez/openssh-sk-winhello

    0.footnote: "Windows Hello also supports other types of authenticators like internal TPM device(if they support generating ECDSA or Ed25519 keys, they can be used instead of FIDO/U2F security keys)."

    1: https://github.com/tavrez/openssh-sk-winhello/issues

    2: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...

  • Win32-OpenSSH

    Win32 port of OpenSSH

    For Windows, it seems it's possible[0, see footnote], however there are problems like general incompatibilities [1], and official support status is " We have this in our backlog. At this point it's not prioritized.".

    0: https://github.com/tavrez/openssh-sk-winhello

    0.footnote: "Windows Hello also supports other types of authenticators like internal TPM device(if they support generating ECDSA or Ed25519 keys, they can be used instead of FIDO/U2F security keys)."

    1: https://github.com/tavrez/openssh-sk-winhello/issues

    2: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...

  • pam_wtid

    Patch for Apple's pam_tid PAM Touch ID module to add sudo watch authentication

    Does watch unlock now work natively with pam_tid? I know as of at least a few months ago it would only work if you could use touch ID, i.e. when the laptop was open. If it was docked, it would fall back to password auth.

    I wrote a patcher that changed this behavior, it patched pam_tid directly on your system and just updates the API Apple calls to allow unlocking with watch-only when touch ID is unavailable:

    https://github.com/inickt/pam_wtid

    Was a fun reverse engineering experience and wrote up some more info in the README.

  • toucli

    Use TouchID and the Secure Enclave to encrypt data from the commandline.

    In the same vein, I recently made a tool to use TouchID and the Secure Enclave to protect arbitrary data and env variables from the commandline: https://github.com/pathtofile/toucli

  • pam-watchid

    PAM plugin module that allows the Apple Watch to be used for authentication (by insidegui)

    I'm using this to authorize sudo (and other things) with Apple Watch:

    https://github.com/insidegui/pam-watchid

    ... and my /etc/pam.d/sudo needs to be changed like this:

        # sudo: auth account password session

  • sekey

    Use Touch ID / Secure Enclave for SSH Authentication!

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • dotfiles.nix

    My dotfiles in NIX (by shinzui)

    nix-darwin currently does not support that directly, but there is an open PR to fix that. For my dotfiles, I added the module from the PR with some slight modifications. You can find the code below.

    https://github.com/shinzui/dotfiles.nix/blob/master/modules/...

  • WinCryptSSHAgent

    Using a Yubikey for SSH Authentication on Windows Seamlessly

  • pamgpgr

    Self plug, but here's a PAM module I made for using gpg for login: https://gitlab.com/rendaw/pamgpgr . I've been using it for a couple years for sudo I think (yubikey).

    The code is fairly small so it can be an example for doing other PAM things too.

  • howdy

    🛡️ Windows Hello™ style facial authentication for Linux

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Linux Facial Recognition:

    1 project | /r/thinkpad | 12 Jul 2023
  • The things that I wish GNOME had integrated by default

    1 project | /r/gnome | 2 May 2023
  • I have a LG gram 16 2 in 1. Does anyone know how well this machine takes to Linux?

    1 project | /r/linuxhardware | 20 Mar 2023
  • Is linux-surface kernel necessary when installing fedora 37 on WSLG2?

    1 project | /r/SurfaceLinux | 7 Mar 2023
  • Facial Recognition

    1 project | /r/SurfaceLinux | 24 Feb 2023