how to set up authentication for a central repository

Does everyone need to have their own branch on the server, or are you using a centralized model (in which case a single spot on teh server with users and group access should work)? If people are push/pulling from their own machines I'm not sure why each account would need to have Bazaar installed... can you describe your workflow as well?

Looks like I've figured it out.

bzr+ssh requires bzr to be installed for every user
http+webdav doesn't work with servers requiring authentication
(https://bugs.launchpad.net/bzr.webdav/+bug/72792)

BUT!

sftp works

To clarify what I've ended up doing* and to help any others who might be in the same boat:

1. I created a new group eg. "bzr_grp" (Dreamhost lets me do this in their web-panel)

2. I then created a new repository:
bzr init-repo repos

3. I then changed the group:
chgrp -R bzr_grp repos

4. I then used SGID to make sure all new files remain in the group:
chmod g+s repos

5. I can now use sftp to work with branches:
bzr init sftp://<email address hidden>/home/master-user/repos/new-branch

master-user is the account where you set up the repository (not the one you're logging in as
instead of using home, I could have used ~/../, but that looks a lot messier.

*I actually ended up making separate repositories for individual clients, but the workflow is the same

Great info. This is *exactly* what I'm trying to do right now (right down to doing it on dreamhost).

One thing for dmuir: on dreamhost you can set up a subdomain like bzr.mydomain.com with / mapped to a particular subdirectory of your account. I've used that to set up a mercurial repo like hg.mydomain.com.

Thanks for writing out the steps to do this.

@EmmaJane:
I was getting errors about not finding bzr on the remote server when using bzr+ssh.
Bzr is installed in /home/master-user/bin, and so isn't automatically available. After looking through the user guide it seems that I can add the correct path to locations.conf, so will try that later.

@baxissimo:
Glad to hear it. Using a bzr subdomain is handy for public branches, but less so if you're only going to access it via ssh since you have to specify the full path. (unless I'm missing something)

To tell the truth, I ended up going the bzr-svn route in the end, simply because it worked without much fuss (especially since Dreamhost makes it so easy to work with svn repos). That and I couldn't figure out how to import from svn into bzr :-) Now that I get bzr a bit more, I'll be revisiting that soon.

@dmuir:
I hadn't realized the sub-domain trick only worked for http://. Oh well. That does dampen my enthusiasm for the bzr sftp:// approach a bit. Is webdav still unusable? I didn't see an obvious resolution to those two bugs you posted.

Have a look at http://doc.bazaar-vcs.org/bzr.dev/en/user-guide/index.html#ssh
sftp allows you to use /~/ which might help.

As for webdav, I haven't tried it since November, so don't know.
As far as I can tell bzr still can't handle a 401 response properly (all the bug reports I've seen say it's fixed, but I still get errors using the latest version), so probably not. Had similar issues with bzr-svn but ended up using svn+ssh to bypass the issues with using http.
I also never got around to asking dreamhost to modify the .htaccess file for webdav, so doing that might get things working for the other issue I was having with it. Let me know how you go.