When you use pam_pwdb with nullok (the default RH 6.1 setting), and the account you are trying to log on has no password (passwd -d xyz => ^xyz:: in /etc/shadow), pam_pwdb will let you log in with any password, not only with the empty one. I use pam-0.68-8 with shadow passwords and md5, which is the default RH 6.1 setting. I think that this might turn into a security problem in applications which blindly trust PAM. It already fools OpenSSH's parameter "PermitEmptyPasswords no", for example. It doesn't allow you to log in with empty password, but pam_pwdb offers you zillions of other passwords...
Fixed in the errata.