We have a C program that validates users using a PAM module, and this works fine using the script-realm plugin.
However if the user enters a password containing two consecutive dollar signs (e.g. $$password) then they get condensed into a single one in the value that is passed as an environment variable to our script. i.e. our script sees P=$password.
The behaviour is:
a$b --> a$b
a$$b --> a$b
a$$$b --> a$$b
a$$$$b --> a$$b
The workaround is of course to type each dollar sign twice in the password field, but this wasn't obvious to the affected user (me) until after a lot of investigation.
I see this behaviour on Ubuntu server 10 + Tomcat 6 + OpenJDK 1.6.0_18.
A simple java program that launches the C program using ProcessBuilder doesn't exhibit this behaviour.