ssh: disallow loading PKCS#11 modules by default

This is the rest of the OpenSSH 9.3p2 change to address CVE-2023-38408.

From the release notes:

• ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11".
  
  Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction.

Security: CVE-2023-38408
Sponsored by: The FreeBSD Foundation