permission hardener: disable SUID for ssh-agent, ssh-keysign, /lib/openssh/*

This might break SSH host-based authentication.

usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf

@@ -5,7 +5,11 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
-## TODO: research
-ssh-agent matchwhitelist
-ssh-keysign matchwhitelist
-/lib/openssh matchwhitelist
+## Used only for SSH host-based authentication
+## https://linux.die.net/man/8/ssh-keysign
+## Needed to allow access to the machine's host key for use in the
+## authentication process. This is a non-default method of authenticating to
+## SSH, and is likely rarely used, thus this should be safe to disable.
+#ssh-agent matchwhitelist
+#ssh-keysign matchwhitelist
+#/lib/openssh matchwhitelist