I'm not sure why this is considered a mystery.
The default login handler is located at MYAPP.controllers.root:RootController.login
The default login form is located at MYAPP/templates/login.html
The default login form handler (once authentication is completed by repoze.who) is located at MYAPP.controllers.root:RootController.post_login
The means of controlling authentication and authorization are determined by repoze.who and repoze.what, respectively. The documentation for those two packages covers the needed steps on how to customize them. While that documentation can be difficult to understand (I've tried, and it's not easy for me), it is there, and does cover how to customize them.
If there's something I've missed, please follow up on this, and I'll try to answer then.