General security question about exposed credentials to the client

Document ID : KB000101442
Last Modified Date : 13/06/2018
Show Technical Document Details
Are vaulted credentials from CAPAM ever exposed or stored on the client machine when using RDP or ssh, either exposed in the clear, encrypted, in memory or on disk? We are wondering how CAPAM protects against pass the hash attacks. Using versions and 3.1.1.
The credential are stored in PAM encrypted. When PAM needs to inject a password, in ssh or RDP, it is decrypted and passed down an encrypted channel to the target. At that point it becomes a hash when it is submitted for login to the system. The hash is not saved. 

If this is a concern you can protect the credentials even more, by using a Password View Policy. For example, there are several options for changing the password: 
Change Password on View 
Change Password on Auto Connect 
Change Password on Connection End 
Change Password on Session End 

For the first 2 you specify an interval, after which the password will change. The interval may be as small as 1 minute. The last 2 require no interval. The result with any of these is that the password will change shortly after it is viewed or used. 

Expanding on the question, it is possible to cache credentials when using A2A. The following is from the Integrate A2A Applications in the PAM documentation wiki, 

Typically, when you integrate your application or script with the A2A client, you use the cached version of the credential. However, the supplied credentials only give the requestor access to the data if the A2A client cache is up-to-date. The following algorithm uses the cached credentials for the first login attempt. If the login fails the A2A client cache is overridden, credentials are retrieved directly from the appliance, and a second login is attempted. By using the cached credentials for the first login attempt, you help reduce the load on the appliance and improve performance. However, the tradeoff is potentially incurring a failed login attempt if the cached credential has gone stale. 

If this is a concern, it is not necessary to use caching for A2A.