I am wondering how the login actually works. It certainly is not part of the kernel, because I can set the login to use ldap for example, or keep using /etc/passwd; but the kernel certainly is able to use information from it to perform authentication and authorization activities.
There is also a systemd daemon, called logind which seems to start up the whole login mechanism.
Is there any design document I can look at, or can someone describe it here?
The login binary is pretty straightforward (in principle). It's just a program that runs as root user (started, indirectly through getty or an X display manager, from init, the first user-space process). It performs authentication of the logging-in user, and if that is successful, changes user (using one of the setuid() family of system calls), sets appropriate environment variables, umask, etc, and exec()s a login shell.
It may be instructive to read the source code, but if you do so, you'll find it easiest (assuming the standard shadow-utils login that Debian installs) to read it assuming USE_PAM is not set, at least until you are comfortable with its operation, or you'll find too much distraction.
This site seems like a really good place to start. It has a discussion of /etc/passwd as well as PAM. I think you are really looking for a description of PAM. If you are looking to implement something for a specific use, you can edit your question to give us an idea of what you are trying to accomplish.
