Htgettoken

No change to htgettoken itself, but
- Update httokendecode to also validate the token if scitokens-verify is
in $PATH.

- Write out vault tokens after kerberos or ssh authentication only if they can successfully be used to read a bearer token
- Change the oidc authentication prompt to say to "copy/paste into any web browser" instead of "open URL manually"
- Update python dependencies to current versions in pip

- Add support for ssh-agent authentication, including the `--sshpath`, `--nossh` and `--registerssh` options. Add the paramiko package to the included library packages.
- Remove "/login" from `--kerbpath`.

- If kerberos initialization fails with the default KRB5_CONFIG="", try again without it. Observed to be needed at CNAF, although not for FNAL, CERN, or LIGO. Don't do second try if the first error was due to an expired ticket, because that sometimes erroneously succeeds on second try.

- Start using new vault secrets plugin feature that allows it to be shared
between all issuers. Requires htvault-config >= 1.5.
- Expand the --vaultalias option to also additionally allow that name
- in vault's host certificate.
- Support finding python3 from PATH and not only /usr/bin
- Support python38
- Add httokendecode -H option
- Fix bug that caused traceback when handling an error writing the credkey
- Update python dependencies to current versions in pip

- Try a default cafile of '/etc/pki/tls/cert.pem' if system default is empty. This can happen when the SSL_CERT_FILE environment variable is empty.