password policy for ssh key hosts

I have a host with a handful of users. When they authenticate, they have to use either ssh public key or openid - there is no on-machine password. But some of the services that are running pretty much need a password: for example, IMAP, SMTP AUTH, web portal.

I'd like to give these users the ability to acquire a password.

Two ways are immediately apparent:

• Implement a mechanism which presents the user with a new machine-generated password, for example to their registered email address.
• Allow the user to run passwd in a shell, but not require them to enter their existing password first (instead, rely on the fact that they are logged in to be sufficient authentication).

Dear Reader, can you think of other ways? Do you have any opinions on the wiseness/unwiseness of these approaches?