PAM Module Installation

Apple Silicon Instructions

Disable CSR

Reboot your Mac into recovery mode. On Apple silicon Macs, hold the power button while the device is booting until the recovery mode screen appears. In recovery mode, open a terminal (Utilities > Terminal).

csrutil disable
reboot

NOTE: You may also need to decrypt your root partition. Not sure if it is necessary.

Copy Your PAM Module into /usr/lib/pam

After you reboot into your Mac OS, you need to mount the root partition to a writable location. By default, the rootfs is mounted as read only. After you mount it as writable, you need to bless it to make changes persist through reboots.

Check to see which partition is your rootfs:

neil@mbp ~ $ mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk3s6 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk3s2 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk3s4 on /System/Volumes/Update (apfs, local, journaled, nobrowse)
/dev/disk2s2 on /System/Volumes/xarts (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk2s1 on /System/Volumes/iSCPreboot (apfs, local, journaled, nobrowse)
/dev/disk2s3 on /System/Volumes/Hardware (apfs, local, journaled, nobrowse)
/dev/disk3s5 on /System/Volumes/Data (apfs, local, journaled, nobrowse, protect)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)

My rootfs is called /dev/disk3s1 (see top line of output above). Then mount your root partition, copy the PAM module into the root partition in /usr/lib/pam:

neil@mbp ~ $ mkdir ~/mount
neil@mbp ~ $ sudo mount -o nobrowse -t apfs /dev/disk3s1 ~/mount 
neil@mbp ~ $ sudo cp mypam.so ~/mount/usr/lib/pam 

Edit the PAM Config file

Add the following lines to ~/mount/etc/pam.d/sudo and comment out all other lines in that file:

auth sufficient mypam.so
account sufficient mypam.so

Then bless and unmount the filesystem. You have to bless the filesystem to make your changes persist through reboots.

neil@mbp ~ $ sudo bless --mount "$HOME/mount/System/Library/CoreServices/" --setBoot --create-snapshot
neil@mbp ~ $ sudo umount ~/mount