pam.allow.password.change

This configuration parameter specifies whether users who log in with an expired password should be allowed to change their password. You can set this parameter to true or false and use it in conjunction with the pam.allow.password.expired.access parameter to control access for users who attempt to log on with an expired password.

If both this parameter and pam.allow.password.expired.access are set to true, users logging on with an expired password are allowed to log on and are prompted to change their password.

If the pam.allow.password.expired.access parameter is set to true, but this parameter is set to false, users logging on with an expired password are allowed to log on but are not prompted to change their password and the message defined for the pam.allow.password.change.mesg parameter is displayed.

If both this parameter and pam.allow.password.expired.access are set to false, users who attempt to log on with an expired password are not allowed to log on or change their password and the message defined for the pam.allow.password.change.mesg parameter is displayed.

For example, to allow users with expired passwords to change their password:

pam.allow.password.change: true