This is a PAM module for reattaching to the authenticating user's per-session bootstrap namespace on macOS. This allows users to make use of the pam_tid
module (Touch ID) from within tmux.
This module should be invoked before the module that you want to put in the authenticating user's per-session bootstrap namespace. The module runs in the authentication phase and should be marked as either optional
or required
(I suggest using optional
to prevent getting locked out in case of bugs)
sudo vi /etc/pam.d/sudo
Modify the targeted service in /etc/pam.d/
(such as /etc/pam.d/sudo
) as explained:
auth optional pam_reattach.so
auth sufficient pam_tid.so
...
Make sure you have the module installed. Note that when the module is not installed in /usr/lib/pam
or /usr/local/lib/pam
(e.g., on M1 Macs where Homebrew is installed in /opt/homebrew
)
brew install fabianishere/personal/pam_reattach
you must specify the full path to the module in the PAM service file as shown below:
auth optional /opt/homebrew/lib/pam/pam_reattach.so ignore_ssh
auth sufficient pam_tid.so
...
The pam_tid
module will try to avoid prompting for a touch when connected via SSH or another remote login method. However, there are situations (e.g. use of tmux and screen) where the current tty may be spawned by a remote session but not detected as such by pam_tid
. To help mitigate this, the ignore_ssh
option can be added to the configuration of pam_reattach
as follows:
auth optional pam_reattach.so ignore_ssh
auth sufficient pam_tid.so
...
This will detect the presence of any of $SSH_CLIENT
, $SSH_CONNECTION
, or $SSH_TTY
in the environment, and cause this module to become a no-op.