This is a PAM module for reattaching to the authenticating user's per-session
bootstrap namespace on macOS.
This allows users to make use of the
pam_tid module (Touch ID) from within tmux.
Although in MacOS a user program may survive in the background across login sessions, several services (mostly related to the GUI, such as pasteboard and Touch ID) are strictly tied to the login session of a user and as such unavailable for programs in the background session. Users of programs such as tmux and GNU Screen that run in the background to survive across login sessions, will thus find that several services such as Touch ID are unavailable or do not work properly.
This PAM module will attempt to move the current program (e.g.
sudo) to the current active login session,
after which the remaining PAM modules will have access to the per-session services like Touch ID.
If you have installed the additional
reattach-to-session-namespace(8) program, you may also execute arbitrary
programs from the background in the login session of the user.
See TN2083 for more details about bootstrap namespaces in MacOS.
This module should be invoked before the module that you want to put in the
authenticating user's per-session bootstrap namespace. The module runs in the
authentication phase and should be marked as either
(I suggest using
optional to prevent getting locked out in case of bugs)
Modify the targeted service in
/etc/pam.d/ (such as
/etc/pam.d/sudo) as explained:
auth optional pam_reattach.so auth sufficient pam_tid.so ...
Make sure you have the module installed. Note that when the module is not installed in
/usr/local/lib/pam (e.g., on M1 Macs where Homebrew is installed in
/opt/homebrew), you must specify the full path to the module in the PAM service file as shown below:
auth optional /opt/homebrew/lib/pam/pam_reattach.so auth sufficient pam_tid.so ...
For further information, see
The module is available in my personal Homebrew repository. Use the following command to install it:
$ brew install fabianishere/personal/pam_reattach
Alternatively, you may manually build the module. The module is built using CMake 3. Enter the following commands into your command prompt in the directory in which you intend to build the module:
$ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX:PATH=/usr/local <PATH-TO-SOURCE> $ make
To create a universal binary for use with both Apple Silicon and x86 (e.g. for Rosetta support), use:
$ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX:PATH=/usr/local -DCMAKE_OSX_ARCHITECTURES="arm64;x86_64" <PATH-TO-SOURCE> $ make
Then, to install the module, simply run the following command:
$ make install
Make sure you keep the generated
install_manifest.txt file in the build folder after installation.
Run the following command in your command prompt to remove the installation from your system:
$ xargs rm < install_manifest.txt
In case you lost
install_manifest.txt, this is the list of files that are installed:
/usr/local/lib/libreattach.a /usr/local/include/reattach.h /usr/local/share/man/man3/reattach_aqua.3 /usr/local/lib/pam/pam_reattach.so /usr/local/share/man/man8/pam_reattach.8 /usr/local/bin/reattach-to-session-namespace /usr/local/share/man/man8/reattach-to-session-namespace.8
Additionally, you may build a
reattach-to-session-namespace command line
utility by specifying the
-DENABLE_CLI=ON option when calling CMake. This command allows you to reattach to the user's session namespace from the
reattach-to-session-namespace(8) for more information.
Enabling Touch ID for sudo
To enable Touch ID authorization for
sudo, please see this
The code is released under the MIT license. See LICENSE.txt.