Just a reminder for myself:
To enable the fingerprint reader on a MacBook to be sufficient for sudo, just create a file /etc/pam.d/sudo_local (probably a copy of /etc/pam.d/sudo_local.template) and add the line
auth sufficient pam_tid.so
Or use ansible:
- name: Configure touch-id for sudo
become: true
ansible.builtin.lineinfile:
name: /etc/pam.d/sudo_local
line: "auth sufficient pam_tid.so"
regexp: 'auth\s+sufficient\s+pam_tid.so'
state: present
create: true
mode: 0644
owner: root
group: wheel