diff --git a/security/sssd-devel/Makefile b/security/sssd-devel/Makefile
index ab8c12d7dbc1..cda27caa71d9 100644
--- a/security/sssd-devel/Makefile
+++ b/security/sssd-devel/Makefile
@@ -1,200 +1,199 @@
 PORTNAME=	sssd
 PORTVERSION=	2.9.2
+PORTREVISION=	1
 CATEGORIES=	security
 PKGNAMESUFFIX=	-devel
 
 MAINTAINER=	jhixson@FreeBSD.org
 COMMENT=	System Security Services Daemon
 WWW=		https://sssd.io/
 
 LICENSE=	GPLv3+
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 CONFLICTS_INSTALL?=	sssd*
 
 BUILD_DEPENDS=	bash:shells/bash \
 		docbook-xsl>=1:textproc/docbook-xsl \
 		krb5>=1.20:security/krb5 \
 		p11-kit:security/p11-kit \
 		samba-nsupdate:dns/samba-nsupdate \
 		xmlcatalog:textproc/libxml2 \
 		xmlcatmgr:textproc/xmlcatmgr \
 		xsltproc:textproc/libxslt
 
 LIB_DIRS+=	${LOCALBASE}/lib ${LOCALBASE}/lib/sasl2
 LIB_DEPENDS=	libcares.so:dns/c-ares \
 		libcom_err.so:security/krb5 \
 		libcurl.so:ftp/curl \
 		libdbus-1.so:devel/dbus \
 		libdhash.so:devel/ding-libs \
 		libfido2.so:security/libfido2 \
 		libgssapi_krb5.so:security/krb5 \
 		libinotify.so:devel/libinotify \
 		libjansson.so:devel/jansson \
 		libjose.so:net/jose \
 		libkrb5.so:security/krb5 \
 		libldb.so:databases/ldb22 \
 		libndr-krb5pac.so:net/samba416 \
 		libndr-nbt.so:net/samba416 \
 		libndr-standard.so:net/samba416 \
 		libndr.so:net/samba416 \
 		libnfs.so:net/libnfs \
 		libnss3.so:security/nss \
 		libp11-kit.so:security/p11-kit \
 		libpcre2-posix.so:devel/pcre2 \
 		libplds4.so:devel/nspr \
 		libpopt.so:devel/popt \
 		libsamba-util.so:net/samba416 \
 		libsasl2.so:security/cyrus-sasl2 \
 		libsmbclient.so:net/samba416 \
 		libtalloc.so:devel/talloc \
 		libtdb.so:databases/tdb \
 		libtevent.so:devel/tevent \
 		libunistring.so:devel/libunistring \
 		libuuid.so:misc/e2fsprogs-libuuid
 
 RUN_DEPENDS=	cyrus-sasl-gssapi>0:security/cyrus-sasl2-gssapi \
 		sudo>0:security/sudo
 
 USES=	autoreconf cpe gettext gmake gssapi:bootstrap,flags,mit iconv ldap \
 	libtool localbase:ldflags pathfix pkgconfig python:3.9+ shebangfix ssl
 
 USE_LDCONFIG=	yes
 GNU_CONFIGURE=	yes
 
 INSTALL_TARGET=	install-strip
 CPE_VENDOR=	fedoraproject
 
 DEBUG_FLAGS=	-g
 STRIP=
 
 CONFIGURE_ARGS=	--disable-dependency-tracking \
 		--datadir=${DATADIR} \
 		--docdir=${DOCSDIR} \
 		--localstatedir=/var \
 		--disable-silent-rules \
 		--disable-nls \
 		--disable-cifs-idmap-plugin \
 		--disable-valgrind \
 		--disable-systemtap \
 		--enable-pammoddir=${PREFIX}/lib \
 		--enable-ldb-version-check \
 		--enable-pac-responder \
 		--with-db-path=/var/db/sss/db \
 		--with-os=freebsd \
 		--with-plugin-path=${LOCALBASE}/lib/sssd \
 		--with-pubconf-path=/var/db/sss/pubconf  \
 		--with-pid-path=/var/run \
 		--with-pipe-path=/var/run/sss/pipes \
 		--with-mcache-path=/var/db/sss/mc \
 		--with-environment-file=${LOCALBASE}/etc/sssd \
 		--with-init-dir=no \
 		--with-manpages \
 		--with-xml-catalog-path=${LOCALBASE}/share/xml/catalog \
 		--with-krb5-plugin-path=${LOCALBASE}/lib/krb5/plugins/libkrb5 \
 		--with-krb5authdata-plugin-path=${LOCALBASE}/lib/krb5/plugins/authdata \
 		--with-krb5-conf=/etc/krb5.conf \
 		--without-python2-bindings \
 		--with-winbind-plugin-path=${LOCALBASE}/lib/samba4/modules/idmap \
 		--without-selinux \
 		--with-gpo-cache-path=/var/db/sss/gpo_cache  \
 		--without-semanage \
 		--with-app-libs=${LOCALBASE}/lib/sssd/modules \
-		--with-sudo \
-		--with-sudo-lib-path=${LOCALBASE}/lib \
 		--without-autofs \
 		--with-files-provider \
 		--with-passkey \
 		--with-libsifp \
 		--without-libsifp \
 		--with-syslog=syslog \
 		--with-samba \
 		--without-nfsv4-idmapd-plugin \
 		--with-nfs-lib-path=${LOCALBASE}/lib \
 		--with-secrets-db-path=/var/lib/sss/secrets \
 		--with-kcm \
 		--with-oidc-child \
 		--with-ldb-lib-dir=${LOCALBASE}/lib/shared-modules/ldb \
 		--with-smb-idmap-interface-version=6 \
 		--without-libnl \
 		--with-nscd-conf=/etc/nscd.conf \
 		--with-python_prefix=${PREFIX} \
 		--with-unicode-lib=libunistring
 
 CFLAGS+=	-fstack-protector-all
 CFLAGS+=	-I${LOCALBASE}/include/samba4
 
 LIBS+=	-L${LOCALBASE}/lib \
 	-L${LOCALBASE}/lib/samba4/private \
 	-L${LOCALBASE}/lib/sasl2  \
 	-linotify -lintl
 
 KRB5_HOME=	${LOCALBASE}
 KRB5_CONFIG=	${LOCALBASE}/bin/krb5-config
 KRB5_CFLAGS=	-I${LOCALBASE}/include
 KRB5_LIBS=	-L${LOCALBASE}/lib -lkrb5
 
 LDFLAGS+=       -lgssapi
 LDFLAGS_SL+=    -lgssapi
 
 INCLUDES+=      -I${LOCALBASE}/include
 CONFIGURE_ENV+= INCLUDES="${INCLUDES}" \
 		LDFLAGS_SL="${LDFLAGS_SL}"
 MAKE_ENV=       MAKELEVEL=0
 
 PLIST_SUB=	PYTHON_VER=${PYTHON_VER}
 MAKE_ENV+=      LINGUAS="bg de eu es fr hu id it ja nb nl pl pt ru sv tg tr uk zh_CN zh_TW"
 SUB_FILES=	pkg-message
 
 BINARY_ALIAS=	python3=python${PYTHON_VER}
 SHEBANG_FILES=	sbus_generate.sh.in \
 		src/tools/analyzer/sss_analyze \
 		src/tools/sss_obfuscate \
 		src/config/SSSDConfigTest.py \
 		src/tests/python-test.py \
 		src/tests/pysss-test.py \
 		src/tests/cwrap/cwrap_test_setup.sh \
 		src/tests/whitespace_test \
 		src/tests/pyhbac-test.py \
 		src/tests/multihost/data/memcachesize.py \
 		src/tests/double_semicolon_test \
 		src/tests/pysss_murmur-test.py \
 		scripts/release.sh \
 		contrib/git/pre-push \
 		contrib/ci/rpm-spec-builddeps \
 		contrib/ci/clean \
 		contrib/ci/valgrind-condense \
 		contrib/ci/run-multihost \
 		contrib/ci/run \
 		contrib/ci/get-matrix.py \
 		contrib/vagrant/bootstrap.sh \
 		contrib/fedora/make_srpm.sh
 
 USE_RC_SUBR=	${PORTNAME}
 
 USE_GITHUB=yes
 GH_ACCOUNT=sssd
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|/usr/bin/|${PREFIX}/bin/|g' \
 		-e 's|/var/lib/sss/pubconf/|/var/db/sss/pubconf/|g' \
 		${WRKSRC}/src/man/sss_ssh_knownhostsproxy.1.xml \
 		${WRKSRC}/src/man/po/*.po || true
 	@${REINPLACE_CMD} -e 's|/etc/sssd/|${ETCDIR}/|g' \
 		-e 's|/etc/openldap/|${LOCALBASE}/etc/openldap/|g' \
 		${WRKSRC}/src/man/*xml || true
 	@${CP} ${FILESDIR}/sss_bsd_errno.h ${WRKSRC}/src/util/sss_bsd_errno.h
 	@${CP} ${FILESDIR}/bsdnss.c ${WRKSRC}/src/sss_client/bsdnss.c
 
 post-install:
 	${INSTALL_DATA} ${WRKSRC}/src/examples/sssd-example.conf \
 		${STAGEDIR}${ETCDIR}/sssd.conf.sample
 	${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system.d
 	${INSTALL_DATA} ${WRKSRC}/src/responder/ifp/org.freedesktop.sssd.infopipe.conf \
 		${STAGEDIR}${PREFIX}/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
 	${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system-services
 	${INSTALL_DATA} ${WRKSRC}/src/responder/ifp/org.freedesktop.sssd.infopipe.service \
 		${STAGEDIR}${PREFIX}/share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
 	${LN} -sf libnss_sss.so.2 ${STAGEDIR}${PREFIX}/lib/nss_sss.so.1
 
 .include <bsd.port.mk>
diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index e4bc49005f18..b955a563575b 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -1,148 +1,153 @@
 PORTNAME=	sudo
 PORTVERSION=	1.9.15p5
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	SUDO
 
 MAINTAINER=	garga@FreeBSD.org
 COMMENT=	Allow others to run commands as root
 WWW=		https://www.sudo.ws/
 
 LICENSE=	sudo
 LICENSE_NAME=	Sudo license
 LICENSE_FILE=	${WRKSRC}/LICENSE.md
 LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 USES=		cpe libtool pkgconfig
 CPE_VENDOR=	todd_miller
 USE_LDCONFIG=	yes
 GNU_CONFIGURE=	yes
 GNU_CONFIGURE_MANPREFIX=	${PREFIX}/share
 CONFIGURE_ARGS=	--mandir=${PREFIX}/share/man \
 		--sysconfdir=${PREFIX}/etc \
 		--with-env-editor \
 		--with-ignore-dot \
 		--with-logfac=${LOGFAC} \
 		--with-logincap \
 		--with-long-otp-prompt \
 		--with-rundir=/var/run/sudo \
 		--with-tty-tickets
 LDFLAGS+=	-lgcc
 
 PORTSCOUT=	ignore:1
 
 OPTIONS_DEFINE=		AUDIT DISABLE_AUTH DISABLE_ROOT_SUDO DOCS EXAMPLES \
-			INSULTS LDAP NLS NOARGS_SHELL OPIE PAM PYTHON SSL SSSD
+			INSULTS LDAP NLS NOARGS_SHELL OPIE PAM PYTHON SSL
 OPTIONS_DEFAULT=	AUDIT PAM SSL
-OPTIONS_RADIO=		KERBEROS
+OPTIONS_RADIO=		KERBEROS SSSD
 OPTIONS_RADIO_KERBEROS=	GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
+OPTIONS_RADIO_SSSD=	SSSD SSSD_DEVEL
 OPTIONS_SUB=		yes
 
 AUDIT_DESC=		Enable BSM audit support
 DISABLE_AUTH_DESC=	Do not require authentication by default
 DISABLE_ROOT_SUDO_DESC=	Do not allow root to run sudo
 INSULTS_DESC=		Enable insults on failures
 KERBEROS_DESC=		Enable Kerberos 5 authentication (no PAM support)
 NOARGS_SHELL_DESC=	Run a shell if no arguments are given
 OPIE_DESC=		Enable one-time passwords (no PAM support)
 PYTHON_DESC=		Enable python plugin support
 SSL_DESC=		Use OpenSSL TLS and SHA2 functions
 SSSD_DESC=		Enable SSSD backend support
+SSSD_DEVEL_DESC=	Enable SSSD-devel backend support
 
 AUDIT_CONFIGURE_WITH=	bsm-audit
 
 DISABLE_AUTH_CONFIGURE_ON=	--disable-authentication
 DISABLE_ROOT_SUDO_CONFIGURE_ON=	--disable-root-sudo
 
 GSSAPI_BASE_USES=		gssapi
 GSSAPI_BASE_CONFIGURE_ON=	--with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 GSSAPI_HEIMDAL_USES=		gssapi:heimdal
 GSSAPI_HEIMDAL_CONFIGURE_ON=	--with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 GSSAPI_MIT_USES=		gssapi:mit
 GSSAPI_MIT_CONFIGURE_ON=	--with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 
 INSULTS_CONFIGURE_ON=	--with-insults --with-all-insults
 
 LDAP_USES=		ldap
 LDAP_CONFIGURE_ON=	--with-ldap=${PREFIX} \
 			--with-ldap-conf-file=${PREFIX}/etc/${SUDO_LDAP_CONF}
 
 NLS_USES=		gettext
 NLS_CONFIGURE_ENABLE=	nls
 NLS_CFLAGS=		-I${LOCALBASE}/include
 NLS_LDFLAGS=		-L${LOCALBASE}/lib -lintl
 
 NOARGS_SHELL_CONFIGURE_ENABLE=	noargs-shell
 
 OPIE_CONFIGURE_ON=	--with-opie
 
 PAM_PREVENTS=		OPIE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
 PAM_PREVENTS_MSG=	PAM cannot be combined with any other authentication plugin
 PAM_CONFIGURE_ON=	--with-pam
 
 PYTHON_USES=		python
 PYTHON_CONFIGURE_ENABLE=python
 
 SSL_USES=		ssl
 SSL_CONFIGURE_ON=	--enable-openssl=${OPENSSLBASE}
 
 SSSD_PREVENTS=		GSSAPI_HEIMDAL
 SSSD_PREVENTS_MSG=	sssd requires MIT kerberos and it conflicts with heimdal
 SSSD_RUN_DEPENDS=	sssd:security/sssd
 SSSD_CONFIGURE_ON=	--with-sssd
 
+SSSD_DEVEL_RUN_DEPENDS=	sssd:security/sssd-devel
+SSSD_DEVEL_CONFIGURE_ON=	--with-sssd
+
 LOGFAC?=		authpriv
 SUDO_LDAP_CONF?=	ldap.conf
 
 # This is intentionally not an option.
 # SUDO_SECURE_PATH is a PATH string that will override the user's PATH.
 # ex: make SUDO_SECURE_PATH="/sbin:/bin:/usr/sbin:/usr/bin"
 .if defined(SUDO_SECURE_PATH)
 CONFIGURE_ARGS+=	--with-secure-path="${SUDO_SECURE_PATH}"
 .endif
 
 # This is intentionally not an option.
 # SUDO_KERB5_INSTANCE is an optional instance string that will be appended
 # to kerberos principals when to perform authentication. Common choices
 # are "admin" and "sudo".
 .if defined(SUDO_KERB5_INSTANCE)
 CONFIGURE_ARGS+=	--enable-kerb5-instance="${SUDO_KERB5_INSTANCE}"
 .endif
 
 .include <bsd.port.options.mk>
 
 .if ${OPSYS} == FreeBSD && ${OSVERSION} >= 1400072
 . if ${PORT_OPTIONS:MOPIE}
 BUILD_DEPENDS+=	opie>0:security/opie
 RUN_DEPENDS+=	opie>0:security/opie
 . endif
 .endif
 
 .if ${ARCH} == "arm"
 CONFIGURE_ARGS+=	--disable-pie
 .endif
 
 post-patch:
 	@${REINPLACE_CMD} -E '/install-(binaries|noexec):/,/^$$/ \
 		s/\$$\(INSTALL\)/& ${STRIP}/;s/-b\~/-b ~/' \
 		${WRKSRC}/src/Makefile.in
 
 post-install:
 	${INSTALL_DATA} ${FILESDIR}/pam.conf ${STAGEDIR}${PREFIX}/etc/pam.d/sudo.default
 	${MV} ${STAGEDIR}${PREFIX}/etc/sudo.conf ${STAGEDIR}${PREFIX}/etc/sudo.conf.sample
 	${MV} ${STAGEDIR}${PREFIX}/etc/sudo_logsrvd.conf ${STAGEDIR}${PREFIX}/etc/sudo_logsrvd.conf.sample
 	${RM} ${STAGEDIR}${PREFIX}/etc/sudoers
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/cvtsudoers
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/sudoreplay
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/sudo/sudo_intercept.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/sudo_logsrvd
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/sudo_sendlog
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/visudo
 .for f in audit_json.so group_file.so libsudo_util.so sudoers.so system_group.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/sudo/${f}
 .endfor
 
 post-install-PYTHON-on:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/sudo/python_plugin.so
 
 .include <bsd.port.mk>