diff --git a/CHANGELOG.md b/CHANGELOG.md
index b57a840eb..a5a6b3c86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,6 +32,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Changed
 
+- Do not create an identity token if it's not enabled (smallstep/cli#1495).
+
 ### Deprecated
 
 ### Removed
diff --git a/command/ssh/ssh.go b/command/ssh/ssh.go
index 45ef90f0d..24a4e8d87 100644
--- a/command/ssh/ssh.go
+++ b/command/ssh/ssh.go
@@ -187,6 +187,15 @@ func loginOnUnauthorized(ctx *cli.Context) (ca.RetryFunc, error) {
 			return false
 		}
 
+		// Check if client authentication is required.
+		version, err := client.Version()
+		if err != nil {
+			return fail(err)
+		}
+		if !version.RequireClientAuthentication {
+			return false
+		}
+
 		// Generate OIDC token
 		tok, err := flow.GenerateIdentityToken(ctx)
 		if err != nil {