将 Apple Watch 身份验证添加到 sudo
IOS
PAM模块包含在 MacOS 中,供您的 Mac 使用 Touch ID或 Apple Watch。
PAM全称[`Pluggable authentication module`]
https://en.wikipedia.org/wiki/Pluggable_authentication_module?useskin=vector
查看内容
cat /etc/pam.d/sudo
# sudo: auth account password session
auth include sudo_local
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
此配置需要密码和Touch ID/Apple Watch 确认才能运行任何sudo命令
支持Apple Silicon 和 Intel Mac的 pam_watchid 分支
https://github.com/msanders/pam-watchid.git
a-alert安装pam_watchid
git clone https://github.com/msanders/pam-watchid.git
sudo make install
swiftc watchid-pam-extension.swift -o pam_watchid_x86_64.so -target x86_64-apple-darwin20.1.0 -emit-library
swiftc watchid-pam-extension.swift -o pam_watchid_arm64.so -target arm64-apple-darwin20.1.0 -emit-library
lipo -create pam_watchid_arm64.so pam_watchid_x86_64.so -output pam_watchid.so
mkdir -p /usr/local/lib/pam
install -o root -g wheel -m 444 pam_watchid.so /usr/local/lib/pam/pam_watchid.so.2
编辑/etc/pam.d/sudo
以包含为第一行
auth sufficient pam_watchid.so
参考
https://github.com/inickt/pam_wtid