tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-oss/docs/quickstart.md
Tyler King 043b9b9bdc feat: bascule-shell — identity-aware shell with TPM attestation 
New crate: bascule-shell (471 lines, 1.8MB binary)
  Login shell that detects identity + platform attestation at startup.
  Wraps bash/zsh/fish — operator works normally, identity travels with them.

Identity detection (priority order):
  1. Entra via WSL2 interop
  2. Azure CLI
  3. Kerberos TGT
  4. Cached OIDC token
  5. System user (fallback)

Platform attestation:
  TPM 2.0 PCR values via tpm2_pcrread (PCRs 0,1,2,7,10,14)
  IMA measurement log hash + count
  Keylime agent state
  Entra device compliance (WSL2 only)
  Composite SHA-256 hash over all evidence

Shell features:
  Banner with identity + attestation summary
  BASCULE_* env vars injected into inner shell
  --info mode for dry-run display
  --json mode for machine-readable output
  --exec mode for single-command execution
  Configurable via ~/.config/bascule/shell.toml

Tested on Fedora with real TPM 2.0:
  6 PCRs successfully read from hardware
  All env vars propagated to inner shell
  1.8MB binary, 0 substrate deps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 09:47:46 -04:00

64 lines
1.1 KiB
Markdown
Raw Blame History

# Quick Start
## Option 1: Build from Source
```bash
git clone https://github.com/your-org/bascule.git
cd bascule
cargo build --release -p bascule-server
./target/release/bascule --config config/bascule.example.toml
```
In another terminal:
```bash
ssh -p 2222 localhost
```
## Option 2: Container Mode
```bash
# Build a curated shell image
docker build -t bascule-shell:k8s-ops images/k8s-ops/
# Create a config
cat > my-config.toml << 'TOML'
listen_addr = "0.0.0.0:2222"
[auth]
mode = "accept-all" # For testing only!
[container]
image = "bascule-shell:k8s-ops"
ephemeral = true
hardened = true
TOML
./target/release/bascule --config my-config.toml
```
## Option 3: Proxy Mode
```bash
cat > proxy-config.toml << 'TOML'
listen_addr = "0.0.0.0:2222"
[auth]
mode = "accept-all"
[proxy]
target_host = "192.168.1.100"
target_port = 22
target_key_path = "/path/to/key"
accept_target_host_key = true
TOML
./target/release/bascule --config proxy-config.toml
```
## Next Steps
- [Configuration Reference](configuration.md)
- [Authentication Setup](authentication.md)
- [Architecture Overview](architecture.md)
- [Container Images](../images/README.md)
Reference in a new issue View git blame Copy permalink