Hello,
The keys are stored in user's home directory :
aarseniev@router> file list detail .ssh/known_hosts
-rw-r--r-- 1 remote 20 6786 Sep 17 22:00 /var/home/aarseniev/.ssh/known_hosts
total files: 1
aarseniev@router> file show /var/home/aarseniev/.ssh/known_hosts
10.11.12.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv9SAGs7HUq5xYUTn9X2svQdXGaEzg
<skip>
RSA1 vs RSA2 - if You disabled SSHv1 before accepting any remote key, then all keys should be RSA2.
If You are looking at automatically refreshing the keys, there isn't any such JUNOS feature as the key fingerprint must be verified manually.
If You are looking at key portability (i.e. when replacing the unit, You want the keys to be migrated as well with switch config) then have a look at https://www.juniper.net/documentation/en_US/junos12.1/topics/task/configuration/security-ssh-hostkeys-secure-copying.html#id-11583333
[edit]
aarseniev@router# set security ssh-known-hosts fetch-from-server 172.30.77.24
The authenticity of host '172.30.77.24 (172.30.77.24)' can't be established.
ECDSA key fingerprint is 8c:0e:62:c1:3c:42:15:19:48:15:f4:7a:e9:ed:c8:87.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.30.77.24' (ECDSA) to the list of known hosts.
[edit]
aarseniev@router# show | compare
[edit]
+ security {
+ ssh-known-hosts {
+ host 172.30.77.24 {
+ ecdsa-sha2-nistp256-key AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBmc6<skip>
+ }
+ }
+ }
After commit, your SSH key for remote host is stored in the local config and can be ported to a new unit.
HTH
Thanks
Alex