Unfortunately, this is not possible.
Reason: When performing password-based authentication, we actually have to construct an SSH message that contains the password. It is represented by an array of bytes, which is encrypted before being sent to the server. However, before the encryption, the array of bytes actually contains the password in plain text, compromising the value of using SecureString (we would have to use the
Marshal class ourselves). Unfortunately, we can't do anything about this - we have to represent use an array of bytes to represent SSH messages because byte is the only input .NET's
SecureString class should no longer be used. It's only secure if properly created and properly used (which is not possible with managed SFTP/SSH implementations, as described above). There is a proposal to make it obsolete in .NET 6.0.