How can I set up smart card SSH authentication?

I'd recommend kerberos. MIT produces a krb5 client & server.

vwduder, could you recommend a smart card reader and a source of FIPS-201 compliant cards?

http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf

I have a copy on my own server, but I am not popular enough on this stacktrace at this moment to share it with you. The above is only slightly less reliable than our own servers, so you will probably be able to get it from them ;)

[edit] I'm now popular enough!

http://www.colliertech.org/state/FIPS-201-1-chng1.pdf

Gemalto drivers are now open source I believe. They have the source code on their website.

You will need to configure the pam module (I'm not sure how to do this, but the code is certainly there). I imagine the pam configuration would require a mapping of a certificate principle to a local user id.

GDM I believe supports smart cards now, but I'm not sure how it detects it. I'll try to look this up later (easiest way is probably to just peek at the gdm source code).

Of course this all requires pcscd and libpcsclite to be installed. You will also need to copy the libgtop11dotnet.so to /usr/lib.

source code to compile libgtop11dotnet.so : https://github.com/AbigailBuccaneer/libgtop11dotnet