How can I help someone (like granny) over SSH who is behind a NAT router?

If your own computer can accept SSH connections, there is a way to use the technique that Pavlos G. linked to without an extra computer.

You first need an underprivileged* user that your friend will connect as:

sudo adduser reverse --shell /bin/false

Tell your friend to start the tunnel:

ssh -N -R 62222:localhost:22 reverse@lekensteyns-server

Then, on your own computer (lekensteyns-server), start the reverse connection:

ssh -p 62222 localhost

* I don't know enough about security to be able to advise on creating a suitably underprivileged user. That's probably something that should be covered in a separate question.

Based on your specific needs, i would probably:

1. Ask them to tell me the router's password
2. Login and setup port-forwarding for port 22 only
3. Connect through SSH (or SSH tunneling if you need extra ports opened) and get the job done.

I also forgot that you can try the reverse ssh tunnel, although this solution technically needs one more - middle - computer to work.

More info can be found here

I just usually set up an IPv6 tunnel (from sixxs.net or he.net) if they don't already have IPv6 and then that way the computer has a static address and I don't have to mess with NAT. I also like to set up key based authentication (then they don't have to tell you their password).

Sixxs has their own client that you use. It works behind almost any NAT, and automatically updates when the IPv4 address changes. They have instructions on how to set it up and it is packaged for Ubuntu.

Hurricane Electric uses a tunnel where IPv6 packages are sent as the payload of a IPv4 packet. Unlike Sixxs, no TCP/UDP is used. This means that the NAT you are behind has to support forwarding PROTOCOL 41 (not port) and only one computer behind the NAT can use it. The software to use a tunnel like this is built into Ubuntu.

For HE, I use something like this in /etc/network/interfaces:

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
     endpoint 216.218.226.238
     address  2001:470:a29f::2
     netmask  64
     ttl 64
     up ip -6 route add default dev he-ipv6
     down ip -6 route del default dev he-ipv6

The other thing you need to do is update your tunnel endpoint. Since you do not know when the External IP changes, you will have to just try to update the endpoint every few minutes. You could use something like this and run it from cron:

#!/bin/sh
echo -n "Hurricane Electric Proto-41 tunnel endpoint update: "
#(C) 2010 Erik B. Andersen This script is licensed under the latest version of the
# AGPL published by the Free Software Foundation at http://www.gnu.org/licenses/ .
####Set these for each different site#########
pass="passwordhere"
user_id="a765b8e2f474667dcb56e08c5f1aa05b"
tunnel_id="97817"
####Past here doesn't need to be changed######
wget -4 "https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=$(echo -n "${pass}" | md5sum | grep -o -E "[0-9a-fA-F]{32}")&user_id=${user_id}&tunnel_id=${tunnel_id}" -O /dev/null -o /dev/null --no-check-certificate
echo " Done"

Along the years, I developed a GUI to do exactly what the OP asks... except that it requires a ssh access to a third server with public IP, as suggested by Pavlos. You can find here the debian packages and the instructions:

http://pietrobattiston.it/reachme

Notice it (still) is not able to take care of the initial configuration - namely, you have to setup yourself the rsa keys for passwordless connection. Once set up, "reachthem" allows you to see whether "reachme" is connected, and to open an ssh shell/browse the filesystem/view the screen (experimental).

Clearly, you don't need a third computer if your computer itself has a public IP, as in the answer by ændrük. And clearly, the benefit of the GUI is that the remote user doesn't have to enter any command in a terminal... but part of this benefit is lost if the remote user has to install reachme. So I just always install and set up reachme to everybody I install Ubuntu to.