Here’s an alternative that might work. Authenticate via Radius which in turn proxies the authentication request to a SecurId server. With one time passwords, who cares if they get sniffed? You also get the benefit of having your Radius server being able to do accounting/access control on the sessions as well.
SSH has one advantage to one time passwords, in providing a secure path to see/change the configuration. Parameters like ACLs, communities and even interface descriptions (wanna know who the clients of your competitor are ?) are travelling in clear on the network... even clear-text passwords with vty access controls and routing protocols security can resist to sniffing (know the password, can't use it), but information is always useful.
Rubens Kuhl Jr.