We use pam on our redhat boxes but I don't know of any "temporarily let me in" module. If there is one, I would love to try that out.
I know that the /etc/shadow file allows you to set a "warning" time in # of days in the sixth field; we use 7 days. So as Joe-user logs in, he will get the reminder 7 days out that his password will expire and allow him to change it.
Format of the /etc/shadow is:
If Joe-user chooses to continue to ignore this message every time he logs in, then after 7 days, he gets to go visit the sysadmin to change his password.