The type of the password is
ianach:crypt-hash, which means that it can either be cleartext string, or hashed by one of three hash functions - if it is cleartext, there is no need to decrypt anything, if it is hashed, no, you can’t reasonably decrypt that.
For dynamic enable passwords you can start with just making the leaf
password operational and implement a data provider. But since AAA is a bit special, this alone might not be enough; in that case I would try something like this:
Make the leaf
password operational and declare a callpoint.
Register a data provider for that callpoint.
Have a callback that is invoked when a user is logging in. One option for that is an external authentication, another option might be audit or user session confd event callback - not really sure if that one would work for this purpose though, but it’s a bit easier to implement so I guess it is worth trying.
When that callback is invoked, reconfigure your data provider and call
confd_aaa_reload - this will also invoke your data provider. Note that you will need another thread for handling the data provider callback.
That should be it: the user will log in with AAA reconfigured, so the new password setup should apply to them. But frankly, I cannot guarantee it would all work and that there are no hidden gotchas.