diff --git a/command/ssh/login.go b/command/ssh/login.go
index 1f9cd530..302d856b 100644
--- a/command/ssh/login.go
+++ b/command/ssh/login.go
@@ -203,7 +203,7 @@ func loginAction(ctx *cli.Context) error {
 	// NOTE: For OIDC tokens the subject should always be the email. The
 	// provisioner is responsible for loading and setting the principals with
 	// the application of an Identity function.
-	if email, ok := tokenHasEmail(token); ok {
+	if email, ok := tokenEmail(token); ok {
 		subject = email
 	} else if subject == "" {
 		// For non-oidc tokens we will use the token subject.
diff --git a/command/ssh/proxycommand.go b/command/ssh/proxycommand.go
index 76434dd5..1d533a05 100644
--- a/command/ssh/proxycommand.go
+++ b/command/ssh/proxycommand.go
@@ -148,7 +148,7 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
 	// NOTE: For OIDC tokens the subject should always be the email. The
 	// provisioner is responsible for loading and setting the principals with
 	// the application of an Identity function.
-	if email, ok := tokenHasEmail(token); ok {
+	if email, ok := tokenEmail(token); ok {
 		subject = email
 	}
 
diff --git a/command/ssh/ssh.go b/command/ssh/ssh.go
index f59f2510..b2590a72 100644
--- a/command/ssh/ssh.go
+++ b/command/ssh/ssh.go
@@ -240,9 +240,9 @@ func loginOnUnauthorized(ctx *cli.Context) (ca.RetryFunc, error) {
 	}, nil
 }
 
-// tokenHasEmail returns if the token payload has an email address. This is
+// tokenEmail returns if the token payload has an email address. This is
 // mainly used on OIDC token.
-func tokenHasEmail(s string) (string, bool) {
+func tokenEmail(s string) (string, bool) {
 	jwt, err := token.ParseInsecure(s)
 	if err != nil {
 		return "", false