I have been working on adding GSS-API authentication to auth2 and clog -
  it uses GSS-API to authenticate and then wrap the coda tokens for the
  client who can unwrap them and use them. I haven't looked at what venus
  does with those tokens (in fact I don't really have a clue) but at least
  the authentication part is basically there.

The critical part is the authentication of the actual RPC2 messages.
Getting tokens delivered more securely is a helpful step, but it
doesn't directly address the biggest problem.  There is already
kerberos support for auth2, I think, and I thought it used krb5 to
obtain tokens - how is what you are doing different from that?  But I
haven't paid too much attention since the tokens pare still then used
in an insecure manner.

Your changes are probably very helpful along the path to completely
replacing the existing rpc2 security mechanisms with gssapi.  I think
one needs to replace the RPC2 security method with a method that uses
gss_wrap, and then add configuration that forces that to be used with
particular peers, etc.