add a whitelist of paths from which ssh-agent will load (via
  ssh-pkcs11-helper) a PKCS#11 module; ok markus@

  disable Unix-domain socket forwarding when privsep is disabled

(Note that this is a backport of upstream fixes, and this commit
is mainly to ease future imports).

Obtained from:  OpenBSD