diff --git a/.prettierrc.yaml b/.prettierrc.yaml new file mode 100644 index 0000000..9aa0756 --- /dev/null +++ b/.prettierrc.yaml @@ -0,0 +1,66 @@ +# Filename: ~/github/dotfiles-latest/.prettierrc.yaml +# ~/github/dotfiles-latest/.prettierrc.yaml + +# This will autoformat existing lines over 80 characters and also long lines +# that you paste that exceed the 80 characters + +############################################################################### + +# The configuration file will be resolved starting from the location of the +# file being formatted, and searching up the file tree until a config file is +# (or isn’t) found. +# +# Prettier intentionally doesn’t support any kind of global configuration. +# This is to make sure that when a project is copied to another computer, +# Prettier’s behavior stays the same. Otherwise, Prettier wouldn’t be able to +# guarantee that everybody in a team gets the same consistent results. +# +# I added the file in my home directory directly ~/.prettierrc.yaml, and it +# and it was being picked up by all the files inside, for exmaple files +# in the ~/github/dotfiles-latest directory +# +# So my .zshrc file automatically creates a symlink in my home directory that +# points to this file. That way everthing inside my home directory can be +# formatted using this single file + +############################################################################### + +# This sets it for all the file formats, not only markdown +# "preserve" is the default configuration applied to all files +# proseWrap: "preserve" +# proseWrap: "always" + +# You might not want proseWrap to affect YAML files for example, so that's why +# it's not set above +# +# Also notice that you can specify different settings for different directories +# +# https://prettier.io/docs/en/configuration#configuration-overrides +overrides: + # Specific override for Markdown (.md) files + - files: "*.md" + # https://prettier.io/docs/en/options + options: + # "always" - Wrap prose if it exceeds the print width. + # "never" - Un-wrap each block of prose into one line. + # "preserve" - DEFAULT - Do nothing, leave prose as-is. First availi in v1.9.0 + proseWrap: "always" + # The default for this value is 80 if not specified, if you increase it + # lines will be longer + # All the different options can be found in + # https://prettier.io/docs/en/options#print-width + printWidth: 80 + # # Specific override for Markdown (.md) files in a specific directory + # # This sets the indentation to 4 spaces and line length from 80 to 100 + # # This is because confluence sucks with markdown support, but this makes it + # # work + # # Notice it's at the same indentation level of the `- files` above + - files: + - "github/obsidian_main/050-personal/work/doc/goto/monitoring/projects/**/*.md" + options: + tabWidth: 4 + # tab_width: 4 + # indent_style: "space" + # indent_size: 5 + proseWrap: "always" + printWidth: 100 diff --git a/_posts/macos/auth-apple-watch/2024-11-07-auth-apple-watch.md b/_posts/macos/auth-apple-watch/2024-11-07-auth-apple-watch.md index 0973b59..8d88dd6 100755 --- a/_posts/macos/auth-apple-watch/2024-11-07-auth-apple-watch.md +++ b/_posts/macos/auth-apple-watch/2024-11-07-auth-apple-watch.md @@ -5,13 +5,13 @@ description: >- without touch ID but you have an apple watch and would like to authenticate your sudo commands with the watch? image: - path: >- - https://res.cloudinary.com/daqwsgmx6/image/upload/q_75/v1717456413/youtube/neovim/lazyvim-vs-kickstart.avif + path: ../../../assets/img/imgs/241110-thux-sudo-apple-watch.avif date: '2024-11-07 06:10:00 +0000' categories: - macos tags: - macos + - apple-watch - tutorial - youtube - video @@ -22,43 +22,95 @@ tags: - [YouTube video](#youtube-video) -- [Disclaimer](#disclaimer) -- [WORK IN PROGRESS](#work-in-progress) - [Introduction](#introduction) +- [Disclaimer](#disclaimer) +- [Requirements](#requirements) - [A link to my guide will be in the video description](#a-link-to-my-guide-will-be-in-the-video-description) - [If you like this, and want to support me](#if-you-like-this-and-want-to-support-me) - [Follow me on Twitter](#follow-me-on-twitter) +- [Setup macOS](#setup-macos) + * [System settings](#system-settings) + * [With touch ID](#with-touch-id) + * [Without touch id (pam-watchid)](#without-touch-id-pam-watchid) + + [Installation with script](#installation-with-script) + + [Manual installation](#manual-installation) + + [I have issues installing pam-watchid](#i-have-issues-installing-pam-watchid) +- [I messed up, cannot run sudo commands anymore](#i-messed-up-cannot-run-sudo-commands-anymore) ## YouTube video -{% include embed/youtube.html id='_WJBLC8LciQ' %} +{% include embed/youtube.html id='VMdSJ8d5Aos' %} -## Disclaimer +## Introduction -- This is a `macOS` related tutorial -- You need an apple watch +- I use a mac mini as my daily driver, my main keyboard for many years `was` a + magic keyboard with touch ID -## WORK IN PROGRESS + +![Image](../../../assets/img/imgs/241108-magic-keyboard.avif){: width="500"} +_magic keyboard with touch ID_ -- This article is not done yet, just testing images +- But around 2 months ago I switched to a glove80, and as you're able to tell, + this is not an apple product, so it doesn't have touch ID, and mac mini's + don't include touch ID either + - I'll review the glove80 soon, so subscribe on YouTube to find out -## Introduction + +![Image](../../../assets/img/imgs/241108-glove-80.avif){: width="500"} +_glove80 keyboard_ + +- I spend most of my day in my terminal doing stuff, and I sometimes need to + type my sudo password in the terminal, and its a bit annoying because I have + an apple watch that I use to authenticate basically everywhere else +- In this video I'll help you setup macOS so that the sudo authentication + requests are sent to your apple watch instead of typing the password + + +![Image](../../../assets/img/imgs/241108-auth-to-watch.avif){: width="500"} +_auth request sent from terminal to apple watch_ -- I use a mac mini as my daily driver, my main keyboard was a magic keyboard with - touch ID as seen on the image below +## Disclaimer + +- Follow this guide at your own risk +- I'm not responsible for: + - Broken macs + - Security issues related to any of the repos used + - Authentication problems with sudo + - Any other issues that may arise from following this guide +- Make sure you understand what you're doing before making changes to system + files + +## Requirements + +- This tutorial is for `macOS` +- You need an `apple watch` (mine is a series 8, haven't tested others) +- I use an `M1 mac mini` running `sequoia`, not sure if: + - This works on `intel` based macs + - Older OS versions + + + + + + +> You `do not` need a `keyboard` or `mac` with touch ID +{: .prompt-danger } + + + ## A link to my guide will be in the video description - So you can copy all the commands - So you can also find all the links I share +- testing other thing ## If you like this, and want to support me - > - This helps me to keep creating content and sharing it @@ -73,3 +125,317 @@ tags: - Or as kids call it these days "X" - [Here's the link](https://x.com/link_arzu){:target="\_blank"} +## Setup macOS + +### System settings + +- Make sure that this option is enabled + + +![Image](../../../assets/img/imgs/241108-syst-sett-watch.avif){: width="500" } +_macOS system settings_ + +### With touch ID + +- Sources: + - [touch ID for sudo](https://sixcolors.com/post/2023/08/in-macos-sonoma-touch-id-for-sudo-can-survive-updates/){:target="\_blank"} + - [here I discovered pam_reattach](https://apple.stackexchange.com/questions/259093/can-touch-id-on-mac-authenticate-sudo-in-terminal#comment696892_466029){:target="\_blank"} +- This section will only work if: + - You have a computer or keyboard with touch ID + - Your laptop **is not in clamshell mode** (lid closed) + - If 1 or more of the 2 above are not true, keep reading + - You're using macOS Sonoma or above (according to the source above) +- This section following only works if `outside of tmux` +- If you want this to work when in `tmux`, first you need to install + [pam_reattach](https://github.com/fabianishere/pam_reattach){:target="\_blank"} + +```bash +brew install pam-reattach +``` + +- If you don't know how to install brew first watch + [this video](https://youtube.com/watch?v=BEB7X78ivNM){:target="\_blank"} +- After this you need to first create the `sudo_local` file and it needs to have + these 2 lines: + - `optional` that points to `pam_reattach` + - `sufficient` that points to `pam_tid.so` +- The command below removes the `#` character from the beginning of lines that + start with `#auth` in the file `/etc/pam.d/sudo_local.template` and writes the + modified content to `/etc/pam.d/sudo_local`. +- It also adds the `pam_reattach` line above the `pam_tid.so` line. + - The `i` command tells `sed` to insert the specified text before the line + that matches the pattern. In BSD `sed` + - The backslash (`\`) at the end of the line indicates that the text to insert + continues on the next line. + + + + + + +> Run the command below if you're a tmux user, it will add both lines needed +{: .prompt-tip } + + + + +- Before running the command below make sure that pam reattach is in this + directory, for apple silicon macs it is, if it's not there read the docs in + [pam_reattach](https://github.com/fabianishere/pam_reattach){:target="\_blank"} + +```bash +ls /opt/homebrew/lib/pam/pam_reattach.so +``` + +```bash +linkarzu.@.mini/etc/pam.d🔒 +[24/11/10] kubernetes () +❯ ls /opt/homebrew/lib/pam/pam_reattach.so +/opt/homebrew/lib/pam/pam_reattach.so +``` + +- If the file is there run this command + +```bash +sed -e 's/^#auth/auth/' -e '/pam_tid.so/i\ +auth optional /opt/homebrew/lib/pam/pam_reattach.so' /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local +``` + + + + + + +> Run the command below if you're **NOT** a tmux user, it will add a single line +{: .prompt-tip } + + + + +```bash +sudo rm /etc/pam.d/sudo_local +sed "s/^#auth/auth/" /etc/pam.d/sudo_local.template | sudo tee /etc/pam.d/sudo_local +``` + +- This is how my file looks after running the command for tmux + +```bash +cd /etc/pam.d +cat sudo_local +``` + +```bash +linkarzu.@.mini/etc/pam.d🔒 +[24/10/30] kubernetes () +❯ cat sudo_local +# sudo_local: local config file which survives system update and is included for sudo +# uncomment following line to enable Touch ID for sudo +auth optional /opt/homebrew/lib/pam/pam_reattach.so +auth sufficient pam_tid.so +``` + +- The `sudo` file by default reads the contents of the `sudo_local` file +- So you should be good and this will start working + +```bash +cat sudo +``` + +```bash +chris.@.chris-MBP/etc/pam.d🔒 took 13s +[24/10/30] kubernetes () +❯ cat sudo +# sudo: auth account password session +auth include sudo_local +auth sufficient pam_smartcard.so +auth required pam_opendirectory.so +account required pam_permit.so +password required pam_deny.so +session required pam_permit.so +``` + +- In case you want to test this, `sudo -k` invalidates the cached credentials + forcing sudo to prompt for the password the next time + +```bash +sudo -k +sudo whoami +``` + +```bash +linkarzu.@.mini/etc/pam.d🔒 took 5s +[24/10/30] kubernetes () +❯ sudo whoami +root + +linkarzu.@.mini/etc/pam.d🔒 +[24/10/30] kubernetes () +❯ sudo -k + +linkarzu.@.mini/etc/pam.d🔒 +[24/10/30] kubernetes () +❯ sudo whoami +Password: +``` + +- If you have a computer or keyboard with touch ID, this should be it, you don't + need to continue to the next section + +### Without touch id (pam-watchid) + +#### Installation with script + +- I don't use my magic keyboard anymore, so I want to unlock my mac mini (that + doesn't have touch ID) with my apple watch +- [Repo: pam-watchid](https://github.com/Logicer16/pam-watchid) +- [Issue raised in repo](https://github.com/Logicer16/pam-watchid/issues/2) +- The repo has a script that clones it, runs the makefile and then cleans up + afterwards +- Running this script will add extra lines to your `sudo_local` file that you'll + have to clean afterwards + - These lines are added due to the way the makefile is configured + +```bash +/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/logicer16/pam-watchid/HEAD/install.sh)" -- enable +``` + +- This is what my file looks like after running the script, so I have to edit it + to remove a few lines + +```bash +linkarzu.@.mini/etc/pam.d🔒 took 4s +[24/11/10] kubernetes () +❯ cat sudo_local +# sudo_local: local config file which survives system update and is included for sudo +# uncomment following line to enable Touch ID for sudo +auth optional /opt/homebrew/lib/pam/pam_reattach.so +auth sufficient pam_watchid.so +auth sufficient pam_tid.so +# sudo_local: local config file which survives system update and is included for sudo +# uncomment following line to enable Touch ID for sudo +auth sufficient pam_tid.so +auth sufficient pam_watchid.so +``` + +- I use vim with sudo to edit my file + +```bash +sudo vim sudo_local +``` + +- This is what the file looks like after cleanup +- Remember that I have `pam_reattach.so` because I use tmux and I have it + installed, if you don't have that installed, don't add this line + +```bash +linkarzu.@.mini/etc/pam.d🔒 took 10s +[24/11/10] kubernetes () +❯ cat sudo_local +# sudo_local: local config file which survives system update and is included for sudo +# uncomment following line to enable Touch ID for sudo +auth optional /opt/homebrew/lib/pam/pam_reattach.so +auth sufficient pam_tid.so +auth sufficient pam_watchid.so +``` + +#### Manual installation + +- On the other hand, in case you want to manually clone the repo, then run the + makefile +- Notice there were no errors + + + + +> If you already ran the script above, don't run these commands below +{: .prompt-info } + + + +```bash +mkdir -p ~/github +cd ~/github +git clone https://github.com/Logicer16/pam-watchid.git +cd pam-watchid +sudo make install +``` + +- Sample of how the make install command looks + +```bash +linkarzu.@.mini~/github/pam-watchid on  main via 🐦 v6.0.2 +[24/11/05] kubernetes () +❯ sudo make install +Password: +swiftc watchid-pam-extension.swift -DSEQUOIASDK -o pam_watchid_x86_64.so -target x86_64-apple-darwin24.1.0 -emit-library +swiftc watchid-pam-extension.swift -DSEQUOIASDK -o pam_watchid_arm64.so -target arm64-apple-darwin24.1.0 -emit-library +lipo -create pam_watchid_arm64.so pam_watchid_x86_64.so -output pam_watchid.so +sudo mkdir -p /usr/local/lib/pam +sudo install -o root -g wheel -m 444 pam_watchid.so /usr/local/lib/pam/pam_watchid.so.2 +``` + +- Here's the file that was copied + +```bash +ls /usr/local/lib/pam/pam_watchid.so.2 +``` + +```bash +linkarzu.@.mini~/github/pam-watchid on  main via 🐦 v6.0.2 +[24/11/05] kubernetes () +❯ ls /usr/local/lib/pam/pam_watchid.so.2 +/usr/local/lib/pam/pam_watchid.so.2 +``` + +- After its installed, you can add it to your `sudo_local` file + +```bash +linkarzu.@.mini/etc/pam.d🔒 took 3s +[24/11/05] kubernetes () +❯ cat sudo +# sudo: auth account password session +auth include sudo_local +auth sufficient pam_smartcard.so +auth required pam_opendirectory.so +account required pam_permit.so +password required pam_deny.so +session required pam_permit.so + +linkarzu.@.mini/etc/pam.d🔒 +[24/11/05] kubernetes () +❯ cat sudo_local +# sudo_local: local config file which survives system update and is included for sudo +# uncomment following line to enable Touch ID for sudo +auth optional /opt/homebrew/lib/pam/pam_reattach.so +auth sufficient pam_watchid.so +auth sufficient pam_tid.so +``` + +--- + +- After this, with my magic keyboard off and using my mac mini I get sudo + notifications on my apple watch + +#### I have issues installing pam-watchid + +- I do not own this repo, but the maintainer was kind enough to enable issues + and helped me solve an issue I had when trying to set it up +- [link to issues here](https://github.com/Logicer16/pam-watchid/issues){:target="\_blank"} + +## I messed up, cannot run sudo commands anymore + +- Yeah, it happened to me during the testing phase, I `f*7cked` up and wasn't + able to run sudo commands anymore +- This happened because I added a `pam_watchid.so` from a repo that was not + maintained anymore to my sudo_local file, that file was never found, so I + couldn't run sudo commands +- I don't remember the exact details, but here's an overview of what I did, I + don't remember the exact error I received, but if you google that error, + you'll be able to find the instructions + - I turned off my M1 mac mini and started it in safe mode (by holding the + power button for some time until I saw something on the screen) + - Then open disk utility and then mount your data partition + - Quit disk utility and open the terminal `Utilities - Terminal` + - Then navigate to the directory `/Volumes/Macintosh HD/private/etc/pam.d` + - And fix your sudo_local file there + diff --git a/assets/img/imgs/241108-auth-to-watch.avif b/assets/img/imgs/241108-auth-to-watch.avif new file mode 100644 index 0000000..69c84c3 Binary files /dev/null and b/assets/img/imgs/241108-auth-to-watch.avif differ diff --git a/assets/img/imgs/241108-glove-80.avif b/assets/img/imgs/241108-glove-80.avif new file mode 100644 index 0000000..8d1842f Binary files /dev/null and b/assets/img/imgs/241108-glove-80.avif differ diff --git a/assets/img/imgs/241108-magic-keyboard.avif b/assets/img/imgs/241108-magic-keyboard.avif new file mode 100644 index 0000000..d5e7105 Binary files /dev/null and b/assets/img/imgs/241108-magic-keyboard.avif differ diff --git a/assets/img/imgs/241108-syst-sett-watch.avif b/assets/img/imgs/241108-syst-sett-watch.avif new file mode 100644 index 0000000..a9bc602 Binary files /dev/null and b/assets/img/imgs/241108-syst-sett-watch.avif differ diff --git a/assets/img/imgs/241110-thux-sudo-apple-watch.avif b/assets/img/imgs/241110-thux-sudo-apple-watch.avif new file mode 100644 index 0000000..e91d78d Binary files /dev/null and b/assets/img/imgs/241110-thux-sudo-apple-watch.avif differ diff --git a/assets/img/imgs/readme.md b/assets/img/imgs/readme.md new file mode 100644 index 0000000..e69de29