Its not the username that needs to match, its the principal. You can allow any principal for the root user, for example.

You can define principals when allowing a CA via authorized_keys, or you can configure allowed principals globally using sshd_config directives like AuthorizedPrincipals* .