Understood. I'm currently inside, so I'm using the static LAN address of the box.

In /etc/sshd_config on the desktop check for
AllowTcpForwarding without a hash mark first.
if you have
AllowTcpForwarding no
change no to yes
if you dont have a line like that add this
AllowTcpForwarding yes

then retry:
ssh -L 55900:127.0.0.1:5900 user@192.168.1.2
and cennecting with vnc.

Owned by root -- opened in BBEdit, removed hash mark, saved (pw required by BBEdit's command line tools). I did this on the target then tried the command on the laptop and was connected to the target. Then in CotVNC I entered for host: 127.0.0.1:55900 (the target:the port) and the connection was successful. Thank you, thank you.

Now, to try this from outside my LAN, what ports have to be opened in my AirPort Extreme? Just TPC 5900?

No. TCP port 22.

What you have done now is first create a communication "pipe" from your laptop to the desktop, that communication goes to port 22.
The -L ... part makes ssh listen locally on port 55900 on your desktop.
What comes there gets sent over the already existing "pipe" to the desktops sshd and that one sends it to port 5900 on it self.
So only port 22 needs to be reachable for this to work.
The beauty of this is that you can have several of these -L ... in one command so you can reach several services and or internal computers with one single ssh command.

The meaning of that -L 55900:localhost:5900 is listen here on 55900 and send it to localhost:5900 there so it could as well be -L 55901:192.168.1.3:5900 to reach another computer inside your router on that ones port 5900.
Hope you understand this. If you don't have vnc server running on your laptop you could instead use -L 5900:localhost:5900 and then you would connect the vnc client to just localhost but I wanted to avoid the possibility that you had one running.

Also if you want you could try with Meercat again as that missing "AllowTcpForwarding yes" made it impossible for it to succeed.
Unfortunately this can't be detected until something tries to use the tunnel. But Meercat ought to have detected that when you used vnc but it doesn't. I would have liked it to detect that "channel 3: open failed: administratively prohibited: open failed" and put up an error dialog.

That paragraph clarifies a lot of my misunderstandings of tunneling. Thank you.

Done -- Airport Extreme doesn't let you choose the number, but it does let you choose SSH as a service to be port forwarded.

I'd like to have one for 5901, but the VNC server on my G5 doesn't seem to recognize it (5901 is my second screen). Chick of the VNC doesn't enable viewing the second screen, probably because the server isn't configured correctly.

I do, finally. I'm also supposing that 55900 could be anything larger than 1024 and smaller than 64K. I guess I'm not running a server on the laptop, ssh -L 5900:localhost:5900 user@.... works too.

How is the built-in VNC server configured?

Also one extra flag that sometimes helps is -C see excerpt from man ssh

so a full line might be
ssh -C -L 55900:localhost:5900 xxx@yyy
But as they say that -C sometimes helps and sometimes slows thing down

You're welcome.

Read but not quite understood.
Warning guesswork
Have you tried to connect the chick to that computers port 5901? What happens?

Anything free in that range yes. check with:
netstat -naf inet |grep LISTEN
And you will get something like:
This means that ports 22,631,6000,1033 and 515 are already used.

And if you really want to use a low port you can do
sudo ssh -L low_number:remote_computer:remote_port user@server

Sorry don't know.

a 5901 connection is simply refused.

Discovered that vnc://xxx.xxx.xxx.xxx/ will open the built-in screen sharing app. It has preferences, but doesn't seem to include an option for a second screen. Before the 10.5.3 upgrade, Chick ot VNC showed the full screen with window sliders to access the second -- now it doesn't. I'll have to write an AppleScript to make certain that any window that opens on the second screen is moved to the first.

Thank you very much for these patient lessons in VNC via a tunnel. Much appreciated. Luleå university is well served.

Hi, I'm the developer of Meerkat. Sorry I'm a bit late to the scene. Where are you at with this now and is there some way that I can help? Also feel free to reach me at http://codesorcery.net/contact if you'd like to take it offline.

Did you read baf's post #25 in this thread? At the end, I just wrote a shell script to open the tunnel, but haven't been away yet to test it remotely. Also haven't resolved the bi-directional issue.