tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-oss/docs/comparison.md
Tyler King 043b9b9bdc feat: bascule-shell — identity-aware shell with TPM attestation 
New crate: bascule-shell (471 lines, 1.8MB binary)
  Login shell that detects identity + platform attestation at startup.
  Wraps bash/zsh/fish — operator works normally, identity travels with them.

Identity detection (priority order):
  1. Entra via WSL2 interop
  2. Azure CLI
  3. Kerberos TGT
  4. Cached OIDC token
  5. System user (fallback)

Platform attestation:
  TPM 2.0 PCR values via tpm2_pcrread (PCRs 0,1,2,7,10,14)
  IMA measurement log hash + count
  Keylime agent state
  Entra device compliance (WSL2 only)
  Composite SHA-256 hash over all evidence

Shell features:
  Banner with identity + attestation summary
  BASCULE_* env vars injected into inner shell
  --info mode for dry-run display
  --json mode for machine-readable output
  --exec mode for single-command execution
  Configurable via ~/.config/bascule/shell.toml

Tested on Fedora with real TPM 2.0:
  6 PCRs successfully read from hardware
  All env vars propagated to inner shell
  1.8MB binary, 0 substrate deps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 09:47:46 -04:00

1.7 KiB
Raw Blame History

Comparison

Feature Bascule Teleport Boundary StrongDM
License Apache 2.0 AGPL / Commercial MPL / Commercial Commercial
Agents required No Yes Yes Yes
Control plane No Required Required SaaS
Container sessions Native Via agents No No
AI Agent Identity Native (Entra Agent ID) No No No
Binary size ~7MB ~150MB ~100MB N/A (SaaS)
Auth SSH keys, Entra Agent ID OIDC, SAML, GitHub OIDC, LDAP SAML, OIDC
Session recording Via SessionHandler Built-in Built-in Built-in
Kubernetes Any (pod) Requires agent Requires worker SaaS
Extensibility SessionHandler trait Plugin system No No
Proxy mode Built-in Built-in Built-in SaaS
Config Single TOML file Complex YAML Complex HCL Web UI

When to choose Bascule

  • You want a lightweight SSH proxy without a control plane
  • You need ephemeral container sessions per connection
  • You need AI agent identity (Entra Agent ID) alongside human SSH
  • You want to extend the proxy with custom policy via a Rust trait
  • You want Apache 2.0 licensing without AGPL constraints
  • You want a single binary under 10MB

When to choose Teleport

  • You need a full access management platform (SSH + K8s + DB + Web)
  • You need built-in session recording with search
  • You need desktop application access
  • You have a large team and need role-based access at scale
  • AGPL licensing is acceptable for your use case

When to choose Boundary

  • You're fully invested in the HashiCorp ecosystem
  • You need dynamic credential injection
  • You need multi-hop proxy chains
  • MPL licensing works for your organization