diff --git a/command/ssh/login.go b/command/ssh/login.go
index fd34f808..de03509f 100644
--- a/command/ssh/login.go
+++ b/command/ssh/login.go
@@ -202,6 +202,7 @@ func loginAction(ctx *cli.Context) error {
 	// provisioner is responsible for setting default principals by using an
 	// identity function.
 	if email, ok := tokenHasEmail(token); ok {
+		principals = []string{}
 		subject = email
 	}
 
diff --git a/command/ssh/proxycommand.go b/command/ssh/proxycommand.go
index e808afc3..d9fcd2c4 100644
--- a/command/ssh/proxycommand.go
+++ b/command/ssh/proxycommand.go
@@ -147,6 +147,7 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
 	// provisioner is responsible for setting default principals by using an
 	// identity function.
 	if email, ok := tokenHasEmail(token); ok {
+		principals = []string{}
 		subject = email
 	}