diff --git a/users/googleauth.sls b/users/googleauth.sls
index 3f59c8f..22e5065 100644
--- a/users/googleauth.sls
+++ b/users/googleauth.sls
@@ -6,7 +6,7 @@ users_googleauth-package:
   pkg.installed:
     - name: {{ users.googleauth_package }}
     - require:
-      - file: {{ users.googleauth_dir }} 
+      - file: {{ users.googleauth_dir }}
 
 users_{{ users.googleauth_dir }}:
   file.directory:
@@ -19,11 +19,23 @@ users_{{ users.googleauth_dir }}:
 {%-     if 'google_auth' in user %}
 {%-       for svc in user['google_auth'] %}
 {%-         if user.get('google_2fa', True) %}
+{%-           set repl = '{0}       {1}   {2} {3} {4}{5}/{6}_{7} {8}\n{9}'.format(
+                             'auth',
+                             '[success=done new_authtok_reqd=done default=die]',
+                             'pam_google_authenticator.so',
+                             'user=root',
+                             'secret=',
+                             users.googleauth_dir,
+                             '${USER}',
+                             svc,
+                             'echo_verification_code',
+                             '@include common-auth',
+                         ) %}
 users_googleauth-pam-{{ svc }}-{{ name }}:
   file.replace:
     - name: /etc/pam.d/{{ svc }}
     - pattern: "^@include common-auth"
-    - repl: "auth       [success=done new_authtok_reqd=done default=die]   pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
+    - repl: "{{ repl }}"
     - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
     - backup: .bak
 {%-         endif %}