tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-oss/docs/comparison.md
Tyler King 043b9b9bdc feat: bascule-shell — identity-aware shell with TPM attestation 
New crate: bascule-shell (471 lines, 1.8MB binary)
  Login shell that detects identity + platform attestation at startup.
  Wraps bash/zsh/fish — operator works normally, identity travels with them.

Identity detection (priority order):
  1. Entra via WSL2 interop
  2. Azure CLI
  3. Kerberos TGT
  4. Cached OIDC token
  5. System user (fallback)

Platform attestation:
  TPM 2.0 PCR values via tpm2_pcrread (PCRs 0,1,2,7,10,14)
  IMA measurement log hash + count
  Keylime agent state
  Entra device compliance (WSL2 only)
  Composite SHA-256 hash over all evidence

Shell features:
  Banner with identity + attestation summary
  BASCULE_* env vars injected into inner shell
  --info mode for dry-run display
  --json mode for machine-readable output
  --exec mode for single-command execution
  Configurable via ~/.config/bascule/shell.toml

Tested on Fedora with real TPM 2.0:
  6 PCRs successfully read from hardware
  All env vars propagated to inner shell
  1.8MB binary, 0 substrate deps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 09:47:46 -04:00

40 lines
1.7 KiB
Markdown
Raw Blame History

# Comparison
| Feature | Bascule | Teleport | Boundary | StrongDM |
|---------|---------|----------|----------|----------|
| License | Apache 2.0 | AGPL / Commercial | MPL / Commercial | Commercial |
| Agents required | No | Yes | Yes | Yes |
| Control plane | No | Required | Required | SaaS |
| Container sessions | Native | Via agents | No | No |
| AI Agent Identity | Native (Entra Agent ID) | No | No | No |
| Binary size | ~7MB | ~150MB | ~100MB | N/A (SaaS) |
| Auth | SSH keys, Entra Agent ID | OIDC, SAML, GitHub | OIDC, LDAP | SAML, OIDC |
| Session recording | Via SessionHandler | Built-in | Built-in | Built-in |
| Kubernetes | Any (pod) | Requires agent | Requires worker | SaaS |
| Extensibility | SessionHandler trait | Plugin system | No | No |
| Proxy mode | Built-in | Built-in | Built-in | SaaS |
| Config | Single TOML file | Complex YAML | Complex HCL | Web UI |
## When to choose Bascule
- You want a lightweight SSH proxy without a control plane
- You need ephemeral container sessions per connection
- You need AI agent identity (Entra Agent ID) alongside human SSH
- You want to extend the proxy with custom policy via a Rust trait
- You want Apache 2.0 licensing without AGPL constraints
- You want a single binary under 10MB
## When to choose Teleport
- You need a full access management platform (SSH + K8s + DB + Web)
- You need built-in session recording with search
- You need desktop application access
- You have a large team and need role-based access at scale
- AGPL licensing is acceptable for your use case
## When to choose Boundary
- You're fully invested in the HashiCorp ecosystem
- You need dynamic credential injection
- You need multi-hop proxy chains
- MPL licensing works for your organization
Reference in a new issue View git blame Copy permalink