vendor/openssh: upgrade from 8.0p1 to 8.3p1

vendor/openssh: upgrade from 8.0p1 to 8.3p1

Summary of notable changes:

- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
  rest in RAM against speculation and memory side-channel attacks like
  Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private
  keys when they are not in use with a symmetric key that is derived from
  a relatively large "prekey" consisting of random data (currently 16KB)

- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures
  (i.e. the client and server CASignatureAlgorithms option) and will
  use the rsa-sha2-512 signature algorithm by default when the
  ssh-keygen(1) CA signs new certificates

- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from
  the default key exchange proposal for both the client and server

- ssh-keygen(1): the command-line options related to the generation and
  screening of safe prime numbers used by the diffie-hellman-group-* key
  exchange algorithms have changed, most options have been folded under
  the -O flag

- support PKCS8 as an optional format for storage of private keys to disk,
  native key format remains the default, but PKCS8 is a superior format to
  PEM if interoperability with non-OpenSSH software is required

- ssh(1), sshd(8): prefer to use chacha20 from libcrypto

- sshd(8): the sshd listener process title visible to ps(1) has changed
  to include information about the number of connections that are
  currently attempting authentication and the limits configured
  by MaxStartups

- sshd(8): when clients get denied by MaxStartups, send a notification
  prior to the SSH2 protocol banner according to RFC4253 section 4.2

- sshd(8): add an Include sshd_config keyword that allows including
  additional configuration files via glob(3) patterns

- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
  rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
  to allow .shosts files but not .rhosts

- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
  sshd_config, not just before any Match blocks

- ssh(1), sshd(8): allow prepending a list of algorithms to the default
  set by starting the list with the '^' character, e.g.
  "HostKeyAlgorithms ^ssh-ed25519"

- ssh(1): allow forwarding a different agent socket to the path specified
  by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
  accepting an explicit path or the name of an environment variable in
  addition to yes/no

- ssh(1): add %TOKEN percent expansion for the LocalFoward and
  RemoteForward keywords when used for Unix domain socket forwarding

- ssh(1): allow %n to be expanded in ProxyCommand strings

- sftp(1): reject an argument of "-1" in the same way as ssh(1) and
  scp(1) do instead of accepting and silently ignoring it

- sftp(1): check for user@host when parsing sftp target, this allows
  user@[1.2.3.4] to work without a path

- sftp(1): fix a race condition in the SIGCHILD handler that could
  turn in to a kill(-1)

For detailed list of all improvements, enhancements and bugfixes see
release notes:

https://www.openssh.com/releasenotes.html