diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index d708aa4..d9bad02 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1 +1 @@
-DIST sudo-1.8.31.tar.gz 3350674 BLAKE2B de5a968732fdd58933b4c513d13c43a08cb50075a00c3e0d338c9892570a416a2b3a8f19940c0893715f4eeab991e804831a87ef656ffd91e7f1ba047c119261 SHA512 b9e408a322938c7a712458e9012d8a5f648fba5b23a5057cf5d8372c7f931262595f1575c32c32b9cb1a04af670ff4611e7df48d197e5c4cc038d6b65439a28a
+DIST sudo-1.9.5p2.tar.gz 4012277 BLAKE2B 41913887463e4f775564af8d614fb5ed762200aa777dc789ec333842d4f432323474fc952a531fe929b33607cdfbcd18d7fe7470a15d67139deaf855841ed11f SHA512 f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27
diff --git a/app-admin/sudo/metadata.xml b/app-admin/sudo/metadata.xml
index 72faa06..a99f4f7 100644
--- a/app-admin/sudo/metadata.xml
+++ b/app-admin/sudo/metadata.xml
@@ -18,10 +18,6 @@
 		<flag name="sendmail">Allow sudo to send emails with sendmail</flag>
 		<flag name="sssd">Add System Security Services Daemon support</flag>
 		<flag name="secure-path">Replace PATH variable with compile time secure paths</flag>
-		<flag name="system-digest">
-			Use message digest functions from <pkg>dev-libs/libgcrypt</pkg>, <pkg>dev-libs/libressl</pkg>
-			or <pkg>dev-libs/openssl</pkg> instead of sudo's internal SHA2 implementation
-		</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
diff --git a/app-admin/sudo/sudo-1.8.31.ebuild b/app-admin/sudo/sudo-1.9.5_p2.ebuild
similarity index 91%
rename from app-admin/sudo/sudo-1.8.31.ebuild
rename to app-admin/sudo/sudo-1.9.5_p2.ebuild
index fa49076..da52a82 100644
--- a/app-admin/sudo/sudo-1.8.31.ebuild
+++ b/app-admin/sudo/sudo-1.9.5_p2.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-inherit pam multilib libtool tmpfiles
+inherit pam multilib libtool systemd tmpfiles
 
 MY_P="${P/_/}"
 MY_P="${MY_P/beta/b}"
@@ -30,10 +30,11 @@
 # 3-clause BSD license
 LICENSE="ISC BSD"
 SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest"
+IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
 
 DEPEND="
 	sys-libs/zlib:=
+	gcrypt? ( dev-libs/libgcrypt:= )
 	ldap? (
 		>=net-nds/openldap-2.1.30-r1
 		sasl? (
@@ -44,14 +45,11 @@
 	pam? ( sys-libs/pam )
 	sasl? ( dev-libs/cyrus-sasl )
 	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	sssd? ( sys-auth/sssd[sudo] )
-	system-digest? (
-		gcrypt? ( dev-libs/libgcrypt:= )
-		!gcrypt? (
-			!libressl? ( dev-libs/openssl:0= )
-			libressl? ( dev-libs/libressl:0= )
-		)
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl:0= )
 	)
+	sssd? ( sys-auth/sssd[sudo] )
 "
 RDEPEND="
 	${DEPEND}
@@ -64,13 +62,14 @@
 "
 BDEPEND="
 	sys-devel/bison
+	virtual/pkgconfig
 "
 
 S="${WORKDIR}/${MY_P}"
 
 REQUIRED_USE="
-	pam? ( !skey )
-	skey? ( !pam )
+	?? ( pam skey )
+	?? ( gcrypt ssl )
 "
 
 MAKEOPTS+=" SAMPLES="
@@ -130,6 +129,7 @@
 src_configure() {
 	local SECURE_PATH
 	set_secure_path
+	tc-export PKG_CONFIG
 
 	# audit: somebody got to explain me how I can test this before I
 	# enable it.. - Diego
@@ -137,36 +137,34 @@
 	# until `make` time, so we have to use a full path here rather than
 	# basing off other values.
 	myeconfargs=(
-		--enable-zlib=system
+		# requires some python eclass
+		--disable-python
 		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+		--enable-zlib=system
 		--with-editor="${EPREFIX}"/usr/libexec/editor
 		--with-env-editor
 		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
 		--with-rundir="${EPREFIX}"/run/sudo
-		$(use_with secure-path secure-path "${SECURE_PATH}")
 		--with-vardir="${EPREFIX}"/var/db/sudo
 		--without-linux-audit
 		--without-opie
 		$(use_enable gcrypt)
 		$(use_enable nls)
 		$(use_enable sasl)
+		$(use_enable ssl openssl)
+		$(use_with ldap)
+		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
 		$(use_with offensive insults)
 		$(use_with offensive all-insults)
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
-		$(use_with ldap)
 		$(use_with pam)
-		$(use_with skey)
-		$(use_with sssd)
+		$(use_with pam pam-login)
+		$(use_with secure-path secure-path "${SECURE_PATH}")
 		$(use_with selinux)
 		$(use_with sendmail)
+		$(use_with skey)
+		$(use_with sssd)
 	)
 
-	if use system-digest && ! use gcrypt; then
-		myeconfargs+=("--enable-openssl")
-	else
-		myeconfargs+=("--disable-openssl")
-	fi
-
 	econf "${myeconfargs[@]}"
 }
 
@@ -200,8 +198,10 @@
 		insinto /etc/openldap/schema
 		newins doc/schema.OpenLDAP sudo.schema
 	fi
-
-	pamd_mimic system-auth sudo auth account session
+	if use pam; then
+		pamd_mimic system-auth sudo auth account session
+		pamd_mimic system-auth sudo-i auth account session
+	fi
 
 	keepdir /var/db/sudo/lectured
 	fperms 0700 /var/db/sudo/lectured
@@ -209,7 +209,7 @@
 
 	# Don't install into /run as that is a tmpfs most of the time
 	# (bug #504854)
-	rm -rf "${ED}"/run
+	rm -rf "${ED}"/run || die
 
 	find "${ED}" -type f -name "*.la" -delete || die #697812
 }
diff --git a/metadata/md5-cache/app-admin/sudo-1.8.31 b/metadata/md5-cache/app-admin/sudo-1.8.31
deleted file mode 100644
index 05b0175..0000000
--- a/metadata/md5-cache/app-admin/sudo-1.8.31
+++ /dev/null
@@ -1,15 +0,0 @@
-BDEPEND=sys-devel/bison >=app-portage/elt-patches-20170815
-DEFINED_PHASES=configure install postinst prepare
-DEPEND=sys-libs/zlib:= ldap? ( >=net-nds/openldap-2.1.30-r1 sasl? ( dev-libs/cyrus-sasl net-nds/openldap[sasl] ) ) pam? ( sys-libs/pam ) sasl? ( dev-libs/cyrus-sasl ) skey? ( >=sys-auth/skey-1.1.5-r1 ) sssd? ( sys-auth/sssd[sudo] ) system-digest? ( gcrypt? ( dev-libs/libgcrypt:= ) !gcrypt? ( !libressl? ( dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) )
-DESCRIPTION=Allows users or groups to run commands as other users
-EAPI=7
-HOMEPAGE=https://www.sudo.ws/
-IUSE=gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest
-KEYWORDS=*
-LICENSE=ISC BSD
-RDEPEND=sys-libs/zlib:= ldap? ( >=net-nds/openldap-2.1.30-r1 sasl? ( dev-libs/cyrus-sasl net-nds/openldap[sasl] ) ) pam? ( sys-libs/pam ) sasl? ( dev-libs/cyrus-sasl ) skey? ( >=sys-auth/skey-1.1.5-r1 ) sssd? ( sys-auth/sssd[sudo] ) system-digest? ( gcrypt? ( dev-libs/libgcrypt:= ) !gcrypt? ( !libressl? ( dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) ) >=app-misc/editor-wrapper-3 virtual/editor ldap? ( dev-lang/perl ) pam? ( sys-auth/pambase ) selinux? ( sec-policy/selinux-sudo ) sendmail? ( virtual/mta ) virtual/tmpfiles
-REQUIRED_USE=pam? ( !skey ) skey? ( !pam )
-SLOT=0
-SRC_URI=https://www.sudo.ws/sudo/dist/sudo-1.8.31.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.8.31.tar.gz
-_eclasses_=eutils	fcb2aa98e1948b835b5ae66ca52868c5	flag-o-matic	5d5921a298e95441da2f85be419894c0	libtool	f143db5a74ccd9ca28c1234deffede96	multilib	2477ebe553d3e4d2c606191fe6c33602	pam	3f746974e1cc47cabe3bd488c08cdc8e	tmpfiles	6170dc7770585fb3f16efdee789a3218	toolchain-funcs	605c126bed8d87e4378d5ff1645330cb
-_md5_=69c65c899b4c7a6d1c1d25a633984101
diff --git a/metadata/md5-cache/app-admin/sudo-1.9.5_p2 b/metadata/md5-cache/app-admin/sudo-1.9.5_p2
new file mode 100644
index 0000000..cd91ec1
--- /dev/null
+++ b/metadata/md5-cache/app-admin/sudo-1.9.5_p2
@@ -0,0 +1,15 @@
+BDEPEND=sys-devel/bison virtual/pkgconfig >=app-portage/elt-patches-20170815 virtual/pkgconfig
+DEFINED_PHASES=configure install postinst prepare
+DEPEND=sys-libs/zlib:= gcrypt? ( dev-libs/libgcrypt:= ) ldap? ( >=net-nds/openldap-2.1.30-r1 sasl? ( dev-libs/cyrus-sasl net-nds/openldap[sasl] ) ) pam? ( sys-libs/pam ) sasl? ( dev-libs/cyrus-sasl ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) sssd? ( sys-auth/sssd[sudo] )
+DESCRIPTION=Allows users or groups to run commands as other users
+EAPI=7
+HOMEPAGE=https://www.sudo.ws/
+IUSE=gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd
+KEYWORDS=*
+LICENSE=ISC BSD
+RDEPEND=sys-libs/zlib:= gcrypt? ( dev-libs/libgcrypt:= ) ldap? ( >=net-nds/openldap-2.1.30-r1 sasl? ( dev-libs/cyrus-sasl net-nds/openldap[sasl] ) ) pam? ( sys-libs/pam ) sasl? ( dev-libs/cyrus-sasl ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) sssd? ( sys-auth/sssd[sudo] ) >=app-misc/editor-wrapper-3 virtual/editor ldap? ( dev-lang/perl ) pam? ( sys-auth/pambase ) selinux? ( sec-policy/selinux-sudo ) sendmail? ( virtual/mta ) virtual/tmpfiles
+REQUIRED_USE=?? ( pam skey ) ?? ( gcrypt ssl )
+SLOT=0
+SRC_URI=https://www.sudo.ws/sudo/dist/sudo-1.9.5p2.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz
+_eclasses_=eutils	fcb2aa98e1948b835b5ae66ca52868c5	flag-o-matic	5d5921a298e95441da2f85be419894c0	libtool	f143db5a74ccd9ca28c1234deffede96	multilib	2477ebe553d3e4d2c606191fe6c33602	pam	3f746974e1cc47cabe3bd488c08cdc8e	systemd	71fd8d2065d102753fb9e4d20eaf3e9f	tmpfiles	6170dc7770585fb3f16efdee789a3218	toolchain-funcs	605c126bed8d87e4378d5ff1645330cb
+_md5_=3f4855f965de0c13c8feb60cd47657d2