I'm running Gentoo stable, having KDE 3.2 installed now. In KDE, configure a screensaver (I'm using the OpenGL ones, but not sure if that is essential) with password protection. Lock the screen and let the screensaver kick in. Then press <CTRL> + <ALT> + <BACKSPACE>, which kills the X server. What happens next is that the server restarts, and the previous KDE session(!!!) comes up again instead of kdm! This way, it is possible for any user to log into a locked KDE account.
Are you sure that you didn't explicitly configure kdm to have this behaviour? Kdm has an option to automatically login the previous user in case the X-server crashes. As is quite obvious this feature is unsafe.
Will check...I know about this feature but usually do not select it. Stay tuned...
Tried to verify this yesterday, but it didn't happen anymore! When discovering this problem, I have verified multiple times that it does indeed happen...I did an 'emerge sync' inbetween, but that's about it. Also, kdm is _not_ configured to do any auto logins. No idea what is going on here...