Just a quick note that I finally managed to get it together enough to produce a GSSAPI Key exchange patch for the new OpenSSH 4.6p1 release. Patch is available, as always, from http://www.sxw.org.uk/computing/patches/openssh.html
I'm also working on a patch to allow propagation of rekeys over the key exchange handshake. In theory, this means that if you are sitting at a workstation and renew your credentials on that machine all of the machines that you've forwarded tickets to over ssh will also get renewed credentials.
This promises to be really quite funky for people who work like me - with a single, desktop login at home, and many many ssh connections to machines at work. Being able to have all those connections 'magically' end up with valid Kerberos tokens just because I renew my ticket at home will greatly save on typing.