The login prompt should be shown again if the public key authentication fails. I don't see the issue with authorized_keys; it is OpenSSH server writing entries in there.

Quoting dan@…:

If you've never connected to a host using public key auth before, but would like all future connections to use it. You should be able to enable public key auth, point cyberduck to the priv/public keys. When you make your first connection you would be prompted for your username and password and upon successful auth then cyberduck would append your public key to the authorized_keys and reconnect using public key auth. This saves the user all the headache of doing this themselves manually. iSSH for the iPhone/iPad has similar functionality with a Transfer Public Key button.

For now, the user has to manually configure this. Refer to How to configure public key authentication.

Like ssh-copy-id.

DESCRIPTION
     ssh-copy-id is a script that uses ssh(1) to log into a remote machine (presumably using a login pass‐
     word, so password authentication should be enabled, unless you've done some clever use of multiple
     identities).  It assembles a list of one or more fingerprints (as described below) and tries to log in
     with each key, to see if any of them are already installed (of course, if you are not using
     ssh-agent(1) this may result in you being repeatedly prompted for pass-phrases).  It then assembles a
     list of those that failed to log in, and using ssh, enables logins with those keys on the remote
     server.  By default it adds the keys by appending them to the remote user's ~/.ssh/authorized_keys
     (creating the file, and directory, if necessary).  It is also capable of detecting if the remote system
     is a NetScreen, and using its ‘set ssh pka-dsa key ...’ command instead.