OK, here is the answer from my KDE oracle .-)
########################
On Wed, 15 Dec 1999, Denis Havlik wrote:
>:>>Daj vidi o cemu se radi I moze li se kde-screensaver podesiti tako da
>:>>dopusta "otkljucavanje" sa root passwordom.
>:>
>:>Ne moze koliko ja znam. Ne sjecam se koji su bili razlozi za to,
>:>sigurnosni, eticki ili tehnicki.
>
>Daj malo pronjuskaj - normalni lock to moze. Cekaj malo.. Moze li se klock
>zamjeniti normalnim xlockom nekako?
Ne, ali mozes izabrati screensaver None i staviti posebni gumb za lock (koji
zove xlock)
--
Sven Radej [EMAIL PROTECTED]
KDE developer Visit http://www.kde.org
############################################
<TRANSLATION>
For Croatian-impaired: kdelock cannot be unlocked with root passwd.
I do not remember if the reason has something to do with security,
etics or technical difficulties. However, you can choose "None" for a
screensaver under KDE, and add a button (or entry in the menue) for a
"normal" xlock.
</TRANSLATION>
I suppose, one can also start the xlock by putting it in the "Autostart",
or so. However, I cannot believe this story. It would surprise me very
much if kdelock would not use pam authentication for a login.
If it uses pam-authentication, then it is a question of setting right
entries in the /etc/pam.d/*.
I just took a look in my /etc/pam.d/xscreensaver:
auth required /lib/security/pam_pwdb.so shadow nullok
Unfortunately, I cannot find anything about a pam-module which allows
login to any account with root password. There is a "rootok", which allows
root to get user-privileges withouth a password though. I must admit that
I do not understand how my "su" can work without it. Here is my
/etc/pam.d/su:
[root@fudo pam.d]# cat su
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow use_authtok nullok
session required /lib/security/pam_pwdb.so
Now, If i understood the pam-manual right, i should not be allowed to do
[root@fudo pam.d]# su denis
[denis@fudo pam.d]$
withouth password, because there is no: "auth sufficient pam_rootok.so"
line in the file. As you can see, I am. ?:-o
Besides, the "nullok" token allows the use of 0-length passwords, which
does not seam like a good idea to me.
I must admitt I find pam-authentication modules a bit confusing, and
having "bare" files in pam-dir does not help either. :-(
Hint to developers
<HINT>
It would be great if every file in the /etc/pam.d directory would be
well-commented, so that one knows what was the intention of setting it up
this way. As it is, pam-modules are highly intransparent to most of the
users (they are to me - and I am far from beeing a novice.) Please make
everyones life easier and put some nice comments in these files.
</HINT>
cu
Denis
-----------------------------------------------------------
Denis Havlik ||| http://www.ap.univie.ac.at/users/havlik
(@ @) [EMAIL PROTECTED]
---------oOO--(_)--OOo-------------------------------------
