Josh Wright has an article on decrypting SSH sessions based on the 2008 Debian OpenSSH vulnerability, with helpful hints on how to do it, and some patches to publicly available tools to make them work even better.

http://www.willhackforsushi.com/code/ssh_decoder.rb