Update securedrop admin tools to use sftp with Ansible instead of scp

[zenmonkeykstop]

Securedrop servers use a hardened sshd config that disables sftp. We rely on scp instead for Ansible's communications from workstations to servers. With OpenSSH 9, scp is on the road to deprecation, so we should use sftp instead. This would most likely involve:

• Updating the sshd_config on existing and new installs to add an sftp stanza
• Updating the ansible config to use sftp only (other options include scp, tunnelling over ssh, and a mode that tries them all. IN the interests of predictability, we should specify only one.)

[legoktm]

From what I can tell we need to add at least Subsystem sftp /usr/lib/openssh/sftp-server to our sshd_config. Not sure if there's more than that.