Not exactly connected but the same crowd interested in this topic may also be interested in this tool to store SSH private keys in the Secure Enclave, kind of like what can be done with a YubiKey:

https://github.com/maxgoedjen/secretive

I've been looking for something like this for 3-4 years but only found it six months ago (in an HN thread). I use separate keys for every use case, and now know every time a key is used for any purpose, whether it's connecting to source control or my text editor is connecting to a remote VM.

Only thing I haven't figured out is how to do git signatures with these sorts of keys, but I haven't debugged it at all.

I know PAM gets criticized here and there, sometimes heavily, but it's actually a super flexible system. The thing that really stands out is that no application actually needs to know about all the various authentication methods possible. That file in /etc/pam.d/ just corresponds to the app's "service name", and you (as the machine administrator) can put in it whatever you want. The app just needs to go "Hey PAM, I want to start authentication using service 'sudo'", and then PAM will send instructions to the app, like "Display the text 'Place your finger on the fingerprint scanner'", or "Display the text 'Password:' and then prompt for masked input".

It's really quite flexible, and despite its age, still works pretty well with current programming paradigms, whether your UI is text or graphical or whatever. The one oddity is that when it asks you to prompt for some kind of user input, it will actually expect you to return the resulting input from the same callback function. So if you're using a modern-ish GUI toolkit, you'll need to run the PAM stuff off on a different thread that's allowed to block while your UI thread is free to do what it needs to do. But overall that's just... fine?

I've also done this on my Framework laptop running Linux, it's really convenient. Have it set up for sudo, user login, etc. Just added this to various files in /etc/pam.d

  auth sufficient pam_fprintd.so

Every MacOS update, I do run a sudo command and get the password prompt. I cancel, and instead do...

    sudo cp ~/Dropbox/etc-pam.d-sudo /etc/pam.d/sudo

Type the password once and you're done. I've been carrying this around for quite a while. No need to edit the file every MacOS, just copy it.

But once it did utterly go south when Dropbox's "load files on demand" functionality replaced the file with a bunch of zero bytes. That wasn't fun to fix. So maybe Dropbox isn't the best storage place.

Here's a single line you can run that'll add the needed line to the file in the correct place for you:

    sudo perl -pi -e 's/(pam_smartcard.so)/$1\nauth sufficient pam_tid.so/' /etc/pam.d/sudo

   sudo perl -pi -e 's/(pam_smartcard.so)/$1\nauth       sufficient     pam_tid.so/' /etc/pam.d/sudo

    printf '%s\n' '/pam_smartcard\.so/a' 'auth sufficient pam_tid.so' . wq | sudo ex -s /etc/pam.d/sudo

I did this when the touch ID macs were first released and very quickly disabled it.

Why? Because asking for a password for su / sudo broke the flow -- not only did I have to move my right hand from the home row (or both, for my watch), but it popped up a modal-like window away from where my eyes were. Basically it impinged on my focus.

Nice idea, not so nice in practice.

Does watch unlock now work natively with pam_tid? I know as of at least a few months ago it would only work if you could use touch ID, i.e. when the laptop was open. If it was docked, it would fall back to password auth.

I wrote a patcher that changed this behavior, it patched pam_tid directly on your system and just updates the API Apple calls to allow unlocking with watch-only when touch ID is unavailable:

https://github.com/inickt/pam_wtid

Was a fun reverse engineering experience and wrote up some more info in the README.

    # sudo: auth account password session
    auth       sufficient     pam_watchid.so
    (...)

I wonder why Apple haven't made this a default on TouchID Macs?