[Joe] If the GSSAPI exchange is not bound to the session then you do not have assurance that the client actually was performing the GSSAPI exchange to authenticate itself to the SSH server. The client may actually be trying to authenticate to some other service in some other context and his authentication may be proxied by a third party. Part of the problem is that the target name suggested is "host@" which can be used by multiple services on a host.
Tim> Perhaps a target service name such as "ssh@" should be suggested instead ? Would this avoid the problem under discussion ?