Password Encryption stored in PAM

Document ID : KB000123064
Last Modified Date : 20/12/2018
Show Technical Document Details
How PAM stores the user passwords for PAM local login and target accouts'?
CA Privileged Access Manager 3.x
Local PAM login users' passwords are not stored in PAM. A SHA-512 hash is stored in the DB.
When a user login to PAM using a PAM local account, the password given is hashed and compared to the stored value.
You cannot reverse the process and get the clear-text password for login users.

Passwords for accounts used to connect to end-points must be known to PAM in clear text when opening a session with automated login.
The account passwords are stored encrypted using AES-256 with a key unique to the cluster. Different cluster will use a different key encryption key.