The PAM master password is a critical secret for a PAM deployment. This secret must be protected and retained in a secure location. If the master password is lost, encrypted data in the PAM database will be unrecoverable.
During an interactive PAM installation, a strong random master password is generated by the installer and displayed to the user after installation is complete. The user is responsible for retaining and securing the master password.
For Ansible-driven automated installation, the generated master password is encrypted and stored as file output.crypt
in the PAM installation folder. The Ansible extra variable pam_crypt_password is used as the encryption key.
This file should be copied from the PAM server to a secure location in case it may be needed in the future.
For a multi-master PAM farm, each PAM master node must use the same master password value. Here is how it works:
The replication is done by reading encrypted content of output.crypt from the first master node,
decrypting it with the pam_crypt_password, then passing the decrypted
password to the PAM installer as an input.
If desired, a user-defined master password can be used with PAM. Do this by setting the Ansible var
pam_master_password in the encrypted Ansible vault file.
This is only for testing and advanced use cases. If the master password is set like this, it must be set consistently for all master nodes in the PAM farm.
The Python script scripts/pam-vault.py can be used to generate a strong PAM master password
and store it in an encrypted Ansible vault file. See Ansible Vault for details.