How PAM stores the user passwords for PAM local login and target accouts'?
CA Privileged Access Manager 3.x
Local PAM login users' passwords are not stored in PAM. A SHA-512 hash is stored in the DB.
When a user login to PAM using a PAM local account, the password given is hashed and compared to the stored value.
You cannot reverse the process and get the clear-text password for login users.
Passwords for accounts used to connect to end-points must be known to PAM in clear text when opening a session with automated login.
The account passwords are stored encrypted using AES-256 with a key unique to the cluster. Different cluster will use a different key encryption key.