Sidebar: Tradeoffs

I have tried several other variations of this setup, including the one I would prefer, that of /bin/passwd doing all the prompting and the /etc/passwdd program being utterly unprivileged.

In my opinion, that would be the right way. Alas, it would require the /etc/passwdd program to set itself to the proper uid and gid of the user, something which should be universally possible, but isn't. So, I traded simplicity for greater portability.

There is also a definite tradeoff in having /bin/passwd run as root with the username passed to it as a parameter. In some vendor's systems, this enables a "special deal" intended for the root user: the checks against using a bad password are turned off. Needless to say, this is bad. However, one of the common UNIX conventions is never to do more than you have to. (See The UNIX Programming Environment by B. W. Kernighan and R. Pike, Prentice-Hall, Inc., 1984 for this and other bits of UNIX folklore.) As /etc/passwdd executes whatever is found at /bin/passwd, you can install a better /bin/passwd to enforce whatever policy you prefer, without any effect on the rest of the programs.

The last requirement is that your system will allow rlogin to unpassworded accounts, something that has been disabled in a few versions of UNIX. I haven't made any tradeoffs here: I simply don't use those machines as password servers; they're fine as clients.