As it turns out, after the first 8 characters, I could have put in anything at all, and the login would work. I was shocked that such a strange security issue would come up on a mostly stock-configured Ubuntu 8.04 server. In fact, it was better than stock configured, as I already had to do a bunch of configurations to secure it.

As it turns out, the problem lied with the way PAM was authenticating (or something). I went and checked that my configurations were right (you should have “md5″ in a “password” line where commented to do so in /etc/pam.d/common-password). Then, after doing some more poking around online, I found an Ubuntu forum post that mentioned that in /etc/shadow, if any given password has $1$ at the beginning, it’s using MD5. Upon looking at my shadow file, it turned out that one of my users (the one with the issue) was somehow not using MD5. I don’t quite know how that happened, but I’m going to guess that I configured PAM for MD5 after last setting his password. At least that’s my best guess.

To fix the issue, I just used passwd to change the password for the given user, and it properly took on its MD5 encryption. I hope this proves useful to someone in the future!