Apply upstream fix for CVE-2016-10009 and CVE-2016-10010:

add a whitelist of paths from which ssh-agent will load (via
ssh-pkcs11-helper) a PKCS#11 module; ok markus@

disable Unix-domain socket forwarding when privsep is disabled

(Note that this is a backport of upstream fixes, and this commit
is mainly to ease future imports).

Obtained from: OpenBSD