Password Encryption stored in PAM

Document ID : KB000123064
Last Modified Date : 20/12/2018
Show Technical Document Details
Question:
How PAM stores the user passwords for PAM local login and target accouts'?
 
Environment:
CA Privileged Access Manager 3.x
Answer:
Local PAM login users' passwords are not stored in PAM. A SHA-512 hash is stored in the DB.
When a user login to PAM using a PAM local account, the password given is hashed and compared to the stored value.
You cannot reverse the process and get the clear-text password for login users.

Passwords for accounts used to connect to end-points must be known to PAM in clear text when opening a session with automated login.
The account passwords are stored encrypted using AES-256 with a key unique to the cluster. Different cluster will use a different key encryption key.