However, I probably won't give up ETT yet, because there are some design differences that would make ETT more useful in certain circumstances. SSH seems to be design mainly as a secure telnet program, with TCP port redirection added on, which suggests (although I'm not sure) that you need to have an user account on the SSH server to connect to it. It also does not seem to do any filtering of TCP redirection requests. Chaining would not work well with SSH because of its packet overhead.
You are quite right here; some kind of account is needed on the forwarder machine. (It can, though, be an account without password and a login shell that just sleeps.) But anyway, TCP port forwarding is not its main function. (I don't think the packetizing is such a major overhead though - it currently transfers around 400kbytes/sec over ethernet encrypted with RC4 between P90 machines.)
authentication schemes. What are the relative advantages of your protocol over a more straight-forward DH + signature of exchange values? DH would provide forward secrecy directly without the need to change the server key every hour.
The reasons for this key exchange are mostly historical. If I was starting the implementation now, I would use DH + signatures. The performance difference is not very big, but DH + signature would be simpler. Tatu