Does such a thing exist? There are dozens, but none seems very good.
By good I mean:
Has been maintained more recently than 4 years ago.
Works via PAM (and just plain works)
Is not awful to install
Doesn't make you do weird stuff like running a SUID httpd (yes, I actually saw that once)
runs as a non-privileged user.
Usually this would be a SUID root cgi-bin, which is somewhat scary, and it would seem to me unnecessary.
Since the user will provide the current password, it should be possible for a non-privileged process to first switch to the desired user and then change the password, right?
Maybe someone can tell me. Or do I have to write it? I mean, it's going to be a python CGI if I do, and noone's gonna like it ;-)