diff --git a/NEWS b/NEWS
index 8913ef2bbcccb4ff14c09dc7e8beec6b6a502372..54b590d5913b746b5220d0738398ec243e4b9c49 100644
--- a/NEWS
+++ b/NEWS
@@ -3,7 +3,8 @@ unreleased (207x-xx-xx)
     [ssh] Change interface parameter. The parameter
     base::ssh::extra_gssapi_only_users has been renamed to
     base::ssh::extra_skip_duo_users to more accurately reflect what this
-    parameter does. [adamhl]
+    parameter does. Also, fix some whitespace messiness in
+    /etc/pam.d/sshd [adamhl]
 
 release/005.010 (2017-10-02)
 
diff --git a/templates/ssh/etc/pam.d/sshd.erb b/templates/ssh/etc/pam.d/sshd.erb
index 5b148ad1c621ecfb434121996a7d88b13a23e915..22d1d449bbc825042f5bf8067065f6c456069bb8 100644
--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -9,16 +9,16 @@
 #    credential), then "jump over" the pam_duo module to step 3. If not,
 #    go to the next module in the stack (2).
 # 2. If the user is _not_ root, require Duo.
-<% if @pam_afs %>
-# 3. Set up the AFS session and then, whether the AFS sesssion setup works
-#    or not, quit the pam stack
-<% end %>
+<%- if @pam_afs -%>
+# 3. Set up the AFS session and then, whether the AFS session setup works
+#    or not, quit the pam stack.
+<%- end -%>
 
 auth    [success=1 default=ignore]  pam_succeed_if.so uid eq 0
 auth    required                    pam_duo.so conf=/etc/security/pam_duo_ssh.conf
-<% if @pam_afs %>
+<%- if @pam_afs -%>
 auth    [success=done default=die]  pam_afs_session.so
-<% end %>
+<%- end -%>
 
 ##############################################################################
 # account