Hacking on restful_authentication

I am relatively new to Rails, and I recently installed the
restful_authentication plugin to manage authentication and users for a
site I'm developing. I wanted to change the behaviour of the plugin
so that it returned meaningful error messages to users when a login
failed (ie to tell the user whether the login failed because the user
didn't exist or because the password didn't match), but this proved
surprisingly difficult. The problem is that user authentication is
done in a class method, which returns nil to indicate that the login
failed.

def self.authenticate
    u = find_by_login(login) # need to get the salt
    u && u.authenticated?(password) ? u : nil
end

I tried quite a few things, but they were all hampered by the fact
that (a) the nil value represented both kinds of errors and (b)
returning nil didn't allow me to use things like virtual attributes to
store and indication of the actual problem. It was made more
difficult by the fact that this authentication happened in the model,
and therefore I was limited in the way that I could communicate back
to the controller (eg the model doesn't have access to the flash or
the session).

Eventually I decided to use custom exceptions for the two different
types of errors and have the controller separately rescue these to set
the flash message to indicate what actually went wrong, as these
seemed like the way to achieve my aim with minimal disturbance to the
existing system (there seem to be quite a few places that relied on
the existing design).

  def self.authenticate(login, password)
    u = find_by_login(login) # need to get the salt
    raise AuthenticatedSystem::UserNotFoundException if u.nil?
    raise AuthenticatedSystem::InvalidPasswordException unless
u.authenticated?(password)
    return u
  end

I guess what I'm wondering is what would be the best (ie most Rails-
like) way to implement this if you were starting from scratch with
this aim in mind ? Would it be better to move more of the logic into
the controller by changing the authenticate method to an instance
method without the find, doing the find in the controller and then
call authenticate on the returned user model to validate the
password ? Or is there some other more elegant solution that I'm
missing ?