This bug is in the pam package and introduced by the quilt patch "007_modules_pam_unix". It appears to be intentional, but incorrect behavior. The code has this comment:
/* The traditional crypt() truncates passwords to 8 chars. It is
possible to circumvent the above checks by choosing an easy
8-char password and adding some random characters to it...
Example: "password$%^&*123". So check it again, this time
truncated to the maximum length. Idea from npasswd. --marekm */
This no longer seems to apply so I think this chunk of code should be removed.
This bug is in the pam package and introduced by the quilt patch "007_modules_ pam_unix" . It appears to be intentional, but incorrect behavior. The code has this comment:
/* The traditional crypt() truncates passwords to 8 chars. It is
possible to circumvent the above checks by choosing an easy
8-char password and adding some random characters to it...
Example: "password$%^&*123". So check it again, this time
truncated to the maximum length. Idea from npasswd. --marekm */
This no longer seems to apply so I think this chunk of code should be removed.