There is a howto on the gnupg site, but frankly it's a little out of date. It focuses enough on hardware to scare people away, but these days most readers are libccid compatible, so it's a non issue. Setup is actually pretty simple.
And setup your gpg keys on there, either by generating them directly on the card or transferring existing keys. These are simple commands documented elsewhere. In addition to the normal signing and encryption keys, you also generate an authentication key.
Then 'ssh-add -L' will spit out your public key in ssh format to copy on the host machines as usual.
After that you just make sure that you'll use gpg-agent instead of ssh-agent. The man page for gpg-agent shows you what you'll want to add to .bashrc.
Then when you ssh into a machine, gpg-agent will take over, pop up a little dialog called pinentry, you enter your code, and you're good. When you go to lunch, remove card, and ssh authentication with that key no longer works.
Basically you either get a card and reader:
http://shop.kernelconcepts.de/product_info.php?cPath=1_26...
Or get an all-in-one cryptostick:
http://www.privacyfoundation.de/crypto_stick/crypto_stick_en...
And setup your gpg keys on there, either by generating them directly on the card or transferring existing keys. These are simple commands documented elsewhere. In addition to the normal signing and encryption keys, you also generate an authentication key.
Then 'ssh-add -L' will spit out your public key in ssh format to copy on the host machines as usual.
After that you just make sure that you'll use gpg-agent instead of ssh-agent. The man page for gpg-agent shows you what you'll want to add to .bashrc.
Then when you ssh into a machine, gpg-agent will take over, pop up a little dialog called pinentry, you enter your code, and you're good. When you go to lunch, remove card, and ssh authentication with that key no longer works.