When i'm logged in as user, screensaver pops up and locks the screen. When trying to unlock you can type in the username and the password. I just typed in the password off my root account under another username and i can login. this seems to me that it just doesn't really check the username & password, but just whether the pwd is in the /etc/passwd file, belonging to root or the user.
Jochen: I've confirmed this behaviour is by design, if you look at the pam_passwd_valid_p() subroutine in passwd-pam.c, xscreensaver attempts to authenticate the current user using pam_authenticate(), if that fails, the username is set to "root" and authentication is attempted again..around line ~277 /* If that didn't work, set the user to root, and try to authenticate again.*/ Marking RESOLVED.