Disclaimer: You're doing it on your own responsibility, messing with passwords is always dangerous thing to do. For better security you should consider using LDAP or something like that to separate those accounts from system ones. Anything below is about implementing requested feature using pure Unix authentication and doesn't apply to LDAP.

You will need:

• a PHP-enabled HTTP server
• a PHP daemon running as root (or any user privileged to change passwords)

Set up a simple web-based panel that will let users enter their login, current password and requested new password twice (something like login form and password change form combined). When user submits the form, pass it to the daemon through stream sockets. Daemon should check if that user is privileged to change password through web interface, then verify if the current password is valid for specified username and if yes, change the password.

You can implement it in many ways. If you're using default Unix authentication, PHP PAM package will come in handy. You can find many tutorials on checking and changing passwords with PHP through ssh connections or with expect, but it's a very bad idea - escaping arguments properly will be hard and you may miss some serious security loophole; the PAM module is much safer. Just be sure to use it in a daemon, NOT your webserver PHP application, because running externally-accessible PHP as root is very dangerous.

Of course you can implement it in any other way, for example in Python or with bash-based server (using netcat). I'm using PHP as an example because I once had to implement exactly identical feature in PHP.