If anyone else has any ideas, I'm open: to recap, a null password works for root on this machine, whether from the console, a ssh session, or an X session. The same when attempting to su...either the root password or a null password works.
This is not the case with a normal user password. I've run chkrootkit-0.43, and it comes up clean.
Ideas?
To reiterate my working theory, I think your root user actually has a null password, either in the system files or in a remote authentication store (like LDAP).
The complete 'auth' contents of your system-auth, plus the root entry from /etc/shadow (obfuscate is desired) would help our debugging efforts.