Originally Posted by Mr. Alex
“agetty” is the login manager, at least in Arch until systemd. I have “agetty” if I look in inittab on my system, which still functions without systemd. “agetty” can use glibc functions to make hash of the password you entered and then compare. But this is just a conjecture.
No - agetty just initializes the terminal with the appropriate baud rate, bit rate, modem control... then it execs login (I believe it is a "login -p"), it is also possible that the username is read by agetty, and then execs "login <username>" to handle the password.
But it is login that reads the password, invokes a PAM module to hash it, then it proceeds to validate the user (home directory handling, proper shell - which may actually be tested first, security flags...), and then after validation, login execs the users shell.
If the user is not validated, then login exits... and the init process restarts the agetty to reset and reinitialize the terminal (this is partly to prevent any carry over data from a login, but mostly just to ensure the terminal is working properly).