インストール

ruby script/plugin install git://github.com/technoweenie/restful-authentication.git
ruby script/generate authenticated user sessions
rake db:migrate

設定

application_controller、sessions_controller/users_controller
コメントに記載されてるように、application_controllerへ移行。（sessions_controller/users_controllerはコメント）

  # Be sure to include AuthenticationSystem in Application Controller instead
  include AuthenticatedSystem

各controller
ログイン時に操作可能とするコンテンツにはcontrollerで下記を追加。

before_filter :login_required
とか
before_filter :login_required, :except => [:index, :show]

ソースをチラ見

パスワードのhash化ってどうやってんのかなぁと。
vendor/plugins/restful-authentication/lib/authentication/by_password.rb

    module ModelClassMethods
      # This provides a modest increased defense against a dictionary attack if
      # your db were ever compromised, but will invalidate existing passwords.
      # See the README and the file config/initializers/site_keys.rb
      #
      # It may not be obvious, but if you set REST_AUTH_SITE_KEY to nil and
      # REST_AUTH_DIGEST_STRETCHES to 1 you'll have backwards compatibility with
      # older versions of restful-authentication.
      def password_digest(password, salt)
        digest = REST_AUTH_SITE_KEY
        REST_AUTH_DIGEST_STRETCHES.times do
          digest = secure_digest(digest, salt, password, REST_AUTH_SITE_KEY)
        end
        digest
      end      
    end # class methods

    module ModelInstanceMethods
      
      # Encrypts the password with the user salt
      def encrypt(password)
        self.class.password_digest(password, salt)
      end

vendor/plugins/restful-authentication/lib/authentication.rb

  module ModelClassMethods
    def secure_digest(*args)
      Digest::SHA1.hexdigest(args.flatten.join('--'))
    end

REST_AUTH_SITE_KEY、REST_AUTH_DIGEST_STRETCHES（デフォルト10）は
config/initializers/site_keys.rb
で定義されている。

なるほど１０回やってるのか。

ちなみにsaltは
vendor/plugins/restful-authentication/lib/authentication/by_password.rb

      def encrypt_password
        return if password.blank?
        self.salt = self.class.make_token if new_record?
        self.crypted_password = encrypt(password)
      end

vendor/plugins/restful-authentication/lib/authentication.rb

    def make_token
      secure_digest(Time.now, (1..10).map{ rand.to_s })
    end

digest（初回はREST_AUTH_SITE_KEY）, salt, password, REST_AUTH_SITE_KEY
を"--"でくっつけてhashにしてを10回繰り返すと。

参考

restful_authenticationを利用してみる(An introduction log of restful_authentication) - ザリガニが見ていた...。