diff --git a/security/doas/Makefile b/security/doas/Makefile
index b354c7fe4..c0b6cf414 100644
--- a/security/doas/Makefile
+++ b/security/doas/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	doas
 PORTVERSION=	6.2p4
+PORTREVISION=	1
 CATEGORIES=	security
 
 MAINTAINER=	jsmith@resonatingmedia.com
@@ -16,6 +17,10 @@ USES=	gmake
 USE_GITHUB=	yes
 GH_ACCOUNT=	slicer69
 
+OPTIONS_DEFINE=	PAM
+OPTIONS_DEFAULT=PAM
+PAM_CFLAGS+=	-D USE_PAM
+
 MAKE_ENV+=	TARGETPATH=-DGLOBAL_PATH='\"${_GLOBAL_PATH}\"'
 
 BINMODE=	4755
@@ -25,6 +30,8 @@ PLIST_FILES=	bin/doas \
 		man/man5/doas.conf.5.gz \
 		man/man1/doas.1.gz
 
+PAM_PLIST_FILES+= "@sample etc/pam.d/doas.default etc/pam.d/doas"
+
 # These are upstream's default paths that are set for the GLOBAL_PATH variable
 # in doas.h since the 6.1 release. Those paths are then used for target user's
 # PATH variable instead of those of the original user.
@@ -39,4 +46,7 @@ do-install:
 	${INSTALL_MAN} ${WRKSRC}/doas.1 ${STAGEDIR}${MAN1PREFIX}/man/man1
 	${INSTALL_MAN} ${WRKSRC}/doas.conf.5 ${STAGEDIR}${MAN5PREFIX}/man/man5
 
+do-install-PAM-on:
+	${INSTALL_DATA} ${FILESDIR}/pam.conf ${STAGEDIR}${PREFIX}/etc/pam.d/doas.default
+
 .include <bsd.port.mk>
diff --git a/security/doas/files/pam.conf b/security/doas/files/pam.conf
new file mode 100644
index 000000000..2c41e271e
--- /dev/null
+++ b/security/doas/files/pam.conf
@@ -0,0 +1,19 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "doas" service
+#
+
+# auth
+auth		include		system
+
+# account
+account		include		system
+
+# session
+# XXX: pam_lastlog (used in system) causes users to appear as though
+# they are no longer logged in in system logs.
+session		required	pam_permit.so
+
+# password
+password	include		system