The workaround/fix for this would be to not let pam-auth-update add
pam_ssh.so into common-auth and common-session, but add the necessary
lines *selectively* only to services that handle local logins like
/etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd.
That should allow libpam-ssh to start the agent on initial login, but
leave the SSH sessions and their agent forwarding alone.
If you need the "authentication by SSH key passphrase" functionality on
SSH connections, you could add only the "auth optional pam_ssh.so
try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not
be the first authentication module, to prevent an information leak, as
described in the pam_ssh(8) man page.)
