Cache the password if SSH-keys are forbidden

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
12
down vote

favorite
1












I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?






ssh git







share|improve this question



















  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago














up vote
12
down vote

favorite
1












I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?






ssh git







share|improve this question



















  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago












up vote
12
down vote

favorite
1









up vote
12
down vote

favorite
1






1





I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?






ssh git







share|improve this question















I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?






ssh git




ssh git






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 21 mins ago









Braiam

4,00631850




4,00631850










asked 6 hours ago









user2667180

736




736







  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago












  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago







9




9




the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
– Matt Clark
3 hours ago





the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
– Matt Clark
3 hours ago





3




3




@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
– grawity
2 hours ago




@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
– grawity
2 hours ago




3




3




They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
– Joshua
2 hours ago




They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
– Joshua
2 hours ago










2 Answers
2






active

oldest

votes

















up vote
21
down vote



accepted










Connection reuse



SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




  1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



    $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
    foo@bar.example.com's password:


    You're back to the local shell.




  2. Start a new connection through the master:



    $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


    You're in.




  3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



    Host *
     ControlPath ~/.ssh/S.%r@%h:%p


You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




  1. Configuration in ~/.ssh/config:



    Host *
     ControlPath ~/.ssh/S.%r@%h:%p
     ControlMaster auto
     ControlPersist 15m



  2. First connection asks for password:



    $ ssh foo@bar.example.com
    foo@bar.example.com's password:
    [foo@bar:~]$ exit



  3. The second doesn't:



    $ ssh foo@bar.example.com
    [foo@bar:~]$ yay


To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



A similar method is supported by recent PuTTY versions.






share|improve this answer






















  • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
    – user2667180
    6 hours ago


















up vote
4
down vote













Use sshpass



sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



sshpass -p 'correct horse battery staple' ssh foo@host


However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



echo 'correct horse battery staple' > ~/.ssh/compute_password
chmod go-rw ~/.ssh/compute_password
sshpass -f ~/.ssh/compute_password ssh foo@host


This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



This approach is of course less secure than properly set up public key authentication, but you probably know that already.



It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "3"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1362894%2fcache-the-password-if-ssh-keys-are-forbidden%23new-answer', 'question_page');

    );

    Post as a guest

















    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    21
    down vote



    accepted










    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p
       ControlMaster auto
       ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.






    share|improve this answer






















    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago















    up vote
    21
    down vote



    accepted










    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p
       ControlMaster auto
       ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.






    share|improve this answer






















    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago













    up vote
    21
    down vote



    accepted







    up vote
    21
    down vote



    accepted






    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p
       ControlMaster auto
       ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.






    share|improve this answer














    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
       ControlPath ~/.ssh/S.%r@%h:%p
       ControlMaster auto
       ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 6 hours ago

























    answered 6 hours ago









    grawity

    219k32447513




    219k32447513











    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago

















    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago
















    thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
    – user2667180
    6 hours ago





    thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
    – user2667180
    6 hours ago













    up vote
    4
    down vote













    Use sshpass



    sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



    sshpass -p 'correct horse battery staple' ssh foo@host


    However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



    echo 'correct horse battery staple' > ~/.ssh/compute_password
    chmod go-rw ~/.ssh/compute_password
    sshpass -f ~/.ssh/compute_password ssh foo@host


    This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



    This approach is of course less secure than properly set up public key authentication, but you probably know that already.



    It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






    share|improve this answer
























      up vote
      4
      down vote













      Use sshpass



      sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



      sshpass -p 'correct horse battery staple' ssh foo@host


      However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



      echo 'correct horse battery staple' > ~/.ssh/compute_password
      chmod go-rw ~/.ssh/compute_password
      sshpass -f ~/.ssh/compute_password ssh foo@host


      This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



      This approach is of course less secure than properly set up public key authentication, but you probably know that already.



      It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






      share|improve this answer






















        up vote
        4
        down vote










        up vote
        4
        down vote









        Use sshpass



        sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



        sshpass -p 'correct horse battery staple' ssh foo@host


        However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



        echo 'correct horse battery staple' > ~/.ssh/compute_password
        chmod go-rw ~/.ssh/compute_password
        sshpass -f ~/.ssh/compute_password ssh foo@host


        This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



        This approach is of course less secure than properly set up public key authentication, but you probably know that already.



        It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






        share|improve this answer












        Use sshpass



        sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



        sshpass -p 'correct horse battery staple' ssh foo@host


        However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



        echo 'correct horse battery staple' > ~/.ssh/compute_password
        chmod go-rw ~/.ssh/compute_password
        sshpass -f ~/.ssh/compute_password ssh foo@host


        This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



        This approach is of course less secure than properly set up public key authentication, but you probably know that already.



        It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        marcelm

        1713




        1713



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1362894%2fcache-the-password-if-ssh-keys-are-forbidden%23new-answer', 'question_page');

            );

            Post as a guest
































































            Comments

            Post a Comment

            Popular posts from this blog

            Long meetings (6-7 hours a day): Being “babysat” by supervisor

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
            Read more

            Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
            Read more

            Confectionery

            Image
            Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
            Read more