Setting up a second port for Pennmush

Not really - Penn can only be configured to listen for normal connections on a single port. However, you can also have it set to listen on another port for SSL-encrypted connections, if you don't mind setting that up and the player in question is using a client that supports SSL connections. Not sure how much work it would be to hack in support for multiple ports, if you wanted to go that route - grep for TINYPORT in bsd.c if you want to try it.

If you're using a Linux or BSD-based system, you can create a tunnel. Probably one of the easiest ways to do so with a plain user account is to ssh to the same host to do port forwarding.

ssh -gN -L 0.0.0.0:NEW_PORT:127.0.0.1:MUSH_PORT localhost

Replace NEW_PORT with the new port you want your friend to connect to, and MUSH_PORT with the port your mush is running on.

Note that this has one caveat: Anybody connecting via NEW_PORT will look like they're logging in from localhost. So if you check WHO, then anyone logged in via NEW_PORT will have "localhost" or "127.0.0.1" as their source. Since this can bork sitelock stuff, I recommend only sharing NEW_PORT with those who need it, and not making it public. (Otherwise, a twink can connect via NEW_PORT, and you'll end up needing to block localhost.) - A good workaround for this might be to @sitelock 127.0.0.1=!create - Prevent anybody logging in locally from creating characters, but allow them to log in.