But an (admittedly not exhaustive) search on the web did not produce any PAMs for Cognito.
So I wrote one, using pam-python, boto3, warrant and pyJWT:
It is designed primarily for PostgreSQL and pgbouncer, so it only supports pam_sm_authenticate and pam_sm_acct_mgmt, and all the work is done in pam_sm_authenticate. Because calling Cognito is comparatively slow, I didn't want to call it twice.
The necessary pam.d config is:
#%PAM-1.0
# Information for PostgreSQL process with the 'pam' option.
auth required pam_python.so cognito_PAM.py aws_region user_pool_id client_id
account required pam_python.so cognito_PAM.py
If you use PAM authentication, passwords are sent in cleartext, so transport layer encryption, e.g. SSL/TLS, between client and server becomes mandatory!
I think it does the correct dance of authentication with Cognito and supports USER_SRP_AUTH, but if you see any problem, please raise a paw.