smart card authentication with Linux?

[Paul Lussier]

Does anyone know of any smart card authentication schemes which work
with Linux *other* than SecureID ?

Specifically, I'd like a hardware based solution, either a card or key
fob, etc., which generates a one-time passphrase, but does not have to
be synchronized with a central server.

Here's the scenario:

We are deploying systems to customers which our support team
occassionally needs to log into.  Currently we do this via ssh keys.
This is problematic, because if someone in the company leaves, and
they had access to these keys, we have to go to all our customers
systems and change the keys.  This is time consuming and problematic
for a variety of reasons.

We could employ one-time passwords using libopie, but again, we then
need to go to every customer installation, and update the opie config.
A hardware solution that was issued to each person who required access
would solve the problem of having to update the remote side when
someone leaves the company since they would need to return this along
with other company property.  And, since, ideally, the OTP seed is
tied to the hardware (via serial number, etc.) then disabling any
given card or adding new cards would be trivial (as compared to
updating ssh keys).

Any pointers, comments, suggestions are welcome, as google has been
not overly much help in this area...

Thanks.
-- 

Seeya,
Paul