SSH key-based authentication replaces password-based logins with a public/private key pair. Your private key stays on your local machine (never leaves it), while the public key is placed on every remote server you want to access. When you connect, the server challenges you to prove you hold the private key — if you can, you're in, no password needed. This is more secure than passwords because (a) brute-forcing a 256-bit key is computationally infeasible, (b) the private key never crosses the network, and (c) you can disable password auth entirely, eliminating the whole class of password-guessing attacks. On the RHCSA exam, you'll generate key pairs, deploy the public key to remote hosts, verify correct file permissions and SELinux contexts, and configure sshd_config to enforce key-only authentication.