When deploying a VM with a password-enabled template and the SSH keypair, the password is encrypted using the public key of the RSA keypair. In order to de-cipher the encrypted passwd you can use the getVMPassword API. This returns the password encrypted using the public-key used while creating the VM.
To decrypt:
Install openssl
$ yum install openssl*
$ openssl enc -base64 -in ciphertext -out binarytext -d -A $ openssl rsautl -decrypt -in binarytext -out plaintext -inkey YourKeyHere
ciphertext - it should contain the encrypted password returned by the getVMPassword API
private.pem - it should contain the private key of the keypair that was used while launching the VM.
Note that getVMPassword will only return an encrypted password if a sshkeypair is specified when launching a VM.