[eluser]nmweb[/eluser]
As a general rule I have that if I need model stuff in a library, something is wrong with the library and it probably shouldn't be a library at all but a controller in the shape of Modular Extensions controller. This is only a general rule, just means I have to justify it to myself when I break it
The issue you talk about is difficult. Basically comes down to: What place do libraries have in an MVC framework. Imo they should DRY up your code, be quite generic and should serve your controllers. Having them mingle with your application logic is undesirable, if so it's not a library but a module. It can be more elegant to have authentication with models etc. but it then moves away from being a library to being a module. On the other hand, accessing your db in your authentication library and thus bypassing the model is not the most elegant of solutions.
Personally, I'd do the checking of user/pass correctness in the User model. The User model models the user and thus also whether the user is logged in, privliges and any session data.