Well I have a solution. I wasn't expecting this to work (two ssh tunnels sort of 'back to back') but it does:- On the boat system I do:- ssh -R 45678:localhost:80 myaccount@system.inthe.middle and on my home system:- ssh -L 45678:shell.gridhost.co.uk:45678 myaccount@system.inthe.middle then I can point my browser at localhost:45678 and it sees the apache server on the boat. It's as secure as I need. The boat has a passphraseless public key to log in to myaccount@system.inthe.middle so can connect unattended, the ssh process is kept going by a little utility called autossh that monitors it and restarts if necessary.
From my home system to myaccount@system.inthe.middle there's public key authentication with a passphrase protecting the key so it's "transparent" as long as I'm logged in. I can just fire off the ssh -L from my .xprofile.
As I say I hadn't realised that the two ssh tunnels would hook together so easily and painlessly, it just worked the first time I tried it and all I have to do in addition is add a couple of options to make it 'quieter' and everything is sorted. Thanks for all the help and thoughts, I may well investigate the VPN approach in the longer term as it might well provide a lot of things that I need all in one go. -- Chris Green