Spent a good part of the day writing a module to enable pubcookie-based authentication in Drupal. Unfortunately pubcookie works a little differently than Drupal's built-in distributed authentication expects, as the username and password are not entered into Drupal's login form but on a separate, secure server.
user.module is a little hairy. I should clarify; I spent little time writing the module (that's easy) and more time tracing paths of execution for authentication.